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Abstract 

We  present  a  constant-round  concurrent  zero-knowledge  protocol  for  NP.  Our  protocol 
is  sound  against  uniform  polynomial-time  attackers,  and  relies  on  the  existence  of  families  of 
collision-resistant  hash  functions,  and  a  new  (but  in  our  eyes,  natural)  falsifiable  intractability 
assumption:  Roughly  speaking,  that  Micali’s  non-interactive  CS-proofs  are  sound  for  languages 
in  P. 
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1  Introduction 


Zero- knowledge  (2 1C)  interactive  proofs  [GMR89]  are  paradoxical  constructs  that  allow  one  player 
(called  the  Prover)  to  convince  another  player  (called  the  Verifier)  of  the  validity  of  a  mathematical 
statement  x  €  L,  while  providing  zero  additional  knowledge  to  the  Verifier.  Beyond  being  fasci¬ 
nating  in  their  own  right,  ZfC  proofs  have  numerous  cryptographic  applications  and  are  one  of  the 
most  fundamental  cryptographic  building  blocks. 

The  notion  of  concurrent  zero  knowledge,  first  introduced  and  achieved  in  the  paper  by  Dwork, 
Naor  and  Sahai  [DNS04],  considers  the  execution  of  zero-knowledge  proofs  in  an  asynchronous  and 
concurrent  setting.  More  precisely,  we  consider  a  single  adversary  mounting  a  coordinated  attack 
by  acting  as  a  verifier  in  many  concurrent  executions  (called  sessions).  Concurrent  ZfC  proofs  are 
significantly  harder  to  construct  and  analyze.  Since  the  original  protocol  by  Dwork,  Naor  and  Sahai 
(which  relied  on  so  called  “timing  assumptions”),  various  other  concurrent  ZfC  protocols  have  been 
obtained  based  on  different  set-up  assumptions  (e.g.,  [DS98,  DamOO,  CGGMOO,  Gol02,  PTV12, 
GJO+12]),  or  in  alternative  models  (e.g.,  super-polynomial-time  simulation  [Pas03b,  PV10]). 

In  the  standard  model,  without  set-up  assumptions  (the  focus  of  our  work,)  Canetti,  Kilian, 
Petrank  and  Rosen  [CKPR01]  (building  on  earlier  works  by  [KPR98,  RosOO])  show  that  concurrent 
ZfC  proofs  for  non-trivial  languages,  with  “black-box”  simulators,  require  at  least  fl(logn)  number 
of  communication  rounds.  Richardson  and  Kilian  [RK99]  constructed  the  first  concurrent  ZfC 
argument  in  the  standard  model  without  any  extra  set-up  assumptions.  Their  protocol,  which  uses 
a  black-box  simulator,  requires  0(ne)  number  of  rounds.  The  round-complexity  was  later  improved 
in  the  work  of  Kilian  and  Petrank  (KP)  [KP01]  to  0(log2ro)  round.  Somewhat  surprisingly,  the 
simulator  strategy  of  KP  is  “oblivious” — the  “rewinding  schedule”  of  the  simulator  ignores  how 
the  malicious  verifier  schedules  its  messages.  The  key  insight  behind  this  oblivious  simulation 
technique  is  that  a  single  “rewinding”  may  be  helpful  for  simulating  multiple  sessions;  in  essence, 
KP  performs  an  amortized  analysis,  which  improves  the  round-complexity.  (As  we  shall  see  shortly, 
such  an  amortized  analysis  will  play  an  important  role  also  in  this  work.)  More  recent  work  by 
Prabhakaran,  Rosen  and  Sahai  [PRS02]  improves  the  analysis  of  the  KP  simulator,  achieving  an 
essentially  optimal,  w.r.t.  black-box  simulation,  round-complexity  of  O(logn);  see  also  [PTV12]  for 
an  (arguably)  simplified  and  generalized  analysis. 

The  central  open  problem  in  the  area  is  whether  a  constant-round  concurrent  ZfC  protocol  (for 
a  non-trivial  language)  can  be  obtained.  A  major  breakthrough  towards  resolving  this  question 
came  with  the  work  of  Barak  [BarOl],  demonstrating  a  new  non-black-box  simulation  technique  that 
seemed  amenable  for  constructing  constant-round  protocols  that  are  resilient  to  concurrent  attacks. 
Indeed,  Barak  demonstrated  a  constant-round  bounded- concurrent  argument  for  NP  based  on  the 
existence  of  collision-resistant  hash- functions;  bounded-concurrency  here  means  that  for  every  a- 
priori  polynomial  bound  m  on  the  number  of  concurrent  executions,  there  exists  a  protocol  (which 
depends  on  m)  that  remains  zero-knowledge  as  long  as  the  number  of  concurrent  execution  does 
not  exceed  m.  (In  particular,  in  the  protocol  of  Barak,  the  message  length  of  the  protocol  grows 
linearly  with  the  a-priori  bound  m  on  the  number  of  concurrent  executions.) 

But  a  decade  later,  the  question  of  whether  “full”  (i.e. ,  unbounded)  concurrent  zero- knowledge 
is  achievable  in  a  constant  number  of  rounds  is  still  wide  open. 

1.1  Our  Results 

In  this  work,  we  present  new  falsifiable  intractability  assumptions,  which  in  our  eyes  are  both 
natural  and  reasonable,  under  which  constant-round  concurrent  zero-knowledge  is  achievable. 
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P-certificates  We  consider  an  analogue  of  Micali’s  non-interactive  CS-proofs  [MicOO]  for  lan¬ 
guages  in  P.  Roughly  speaking,  we  say  that  (P,V)  is  a  P -certificate  system  if  (P,  V)  is  a  non¬ 
interactive  proof  system  (i.e.,  the  prover  send  a  single  message  to  the  verifier,  who  either  accepts 
or  rejects)  allowing  an  efficient  prover  to  convince  the  verifier  of  the  validity  of  any  deterministic 
polynomial-time  computation  M (x)  =  y  using  a  “certificate”  of  some  fixed  polynomial  length  (in¬ 
dependent  of  the  size  and  the  running-time  of  M )  whose  validity  the  verifier  can  check  in  some 
fixed  polynomial  time  (independent  of  the  running-time  of  M ).  That  is,  a  P-certihcate  allows  every 
deterministic  polynomial-time  computation  to  be  certified  using  a  “short”  certificate  (of  a-priori 
bounded  polynomial  length)  that  can  be  “quickly”  verified  (in  a-priori  bounded  polynomial-time). 

The  soundness  condition  of  a  P-certificate  system  states  that  no  uniform  polynomial-time 
algorithm  can  output  an  accepting  certificate  for  any  false  statement.  For  our  application  we 
will  require  a  slightly  stronger  soundness  condition:  soundness  needs  to  hold  even  against  T(-)-time 
attackers  attempting  to  prove  the  validity  also  of  T(-)-time  computations,  where  T(-)  is  some  “nice” 
(slightly)  super-polynomial  function  (e.g.,  T(n )  =  wi°glogi°gn).  We  refer  to  such  proof  systems  as 
strong  P-certificates.  Since  we  consider  only  languages  in  P,  we  may  also  consider  statistically- 
sound  (resp  statistically- sound  strong )  P-certificates,  where  soundness  holds  also  with  respect  to 
unbounded  attackers  restricted  to  selecting  statements  of  polynomial  (resp.  T(-))  length.  (Note 
that  considering  soundness  against  non-uniform  efficient-time  attackers  is  equivalent  to  statistical 
soundness,  since  if  an  accepting  proof  of  a  false  statement  exists,  a  non-uniform  efficient  attacker 
can  simply  get  it  as  non-uniform  advice. 

On  the  Existence  of  P-certificates  A  candidate  construction  of  a  (computationally-sound) 
P-certificate  system  comes  from  Micali’s  CS-proofs  [MicOO].  These  constructs  provide  short  cer¬ 
tificates  even  for  all  of  NEXP.  However,  since  we  here  restrict  to  certificates  only  for  P,  the 
assumption  that  these  constructions  are  sound  (resp.  strongly  sound)  P-certificates  is  falsifiable 
[Pop63,  Nao03]:  Roughly  speaking,  we  can  efficiently  test  if  an  attacker  outputs  a  valid  proof  of 
an  incorrect  statement,  since  whether  a  statement  is  correct  or  not  can  be  checked  in  deterministic 
polynomial  time.  Formalizing  this  intuition  turns  out  to  be  somewhat  subtle:  in  general,  whether 
an  attacker  breaks  soundness  of  a  strong  P-certificate  system,  or  even  just  a  P-certificate  system, 
may  not  be  efficiently  testable  since  there  is  no  a-priori  polynomial  upper-bound  on  the  running- 
time  of  the  machine  M  selected  by  the  attacker.  At  first  one  may  think  that  this  issue  can  be  easily 
resolved  by  asking  the  prover  to  provide  an  upper-bound  on  the  running-time  of  M  in  unary;  this 
certainly  makes  the  soundness  condition  falsifiable,  but  such  certificates  are  no  longer  “short”.  We 
overcome  this  issue  by  relying  on  the  fact  that  Micali’s  construction  satisfies  an  additional  (and 
very  natural)  property,  which  we  refer  to  as  time-representation  invariance — namely,  that  whether 
the  verifier  accepts  a  proof  of  a  statement  x  does  not  depend  on  how  the  time-bound  (i.e.,  the  upper 
bound  on  the  running  time  of  M )  is  represented.  For  a  time-representation  invariant  P-certificate, 
it  suffices  to  define  soundness  for  the  the  case  that  the  attacker  specifies  the  time-bound  in  unary;  by 
the  time-representation  invariance  condition,  this  implies  soundness  also  for  other  (more  efficient) 
representations.  Thus,  assuming  that  the  soundness  condition  of  a  time-representation  invariant 
P-certificate  holds  is  a  falsifiable  assumption,  yet  “short”  certificates  can  still  be  generated  by  using 
more  efficient  representations  of  the  running-time  bound.1 

In  our  eyes,  on  a  qualitatively  level,  the  assumption  that  Micali’s  CS-proofs  yield  strong  P- 
certificates  is  not  very  different  from  the  assumption  that  e.g.,  the  Full  Domain  Hash  [BR93]  or 
Schnorr  [Sch91]  signature  schemes  are  existentially  unforgeable:  1)  whether  an  attacker  succeeds  can 

1In  contrast,  as  shown  by  Gentry  and  Wichs  [GW11],  (under  reasonable  complexity  theoretic  assumptions)  non¬ 
interactive  CS-proofs  for  NP  cannot  be  based  on  any  falsifiable  assumption  using  a  black-box  proof  of  security. 
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be  efficiently  checked,  2)  no  attacks  are  currently  known,  and  3)  the  “design-principles”  underlying 
the  construction  rely  on  similar  intuitions. 

Finally,  note  that  the  assumption  that  statistically-sound  strong  P-certificates  exists  is  implied 
by  the  assumption  that  1)  DTIME(nw^^)  C  NP  and  2)  NP  proofs  for  statements  in  DTIME(t) 
can  be  found  in  time  polynomial  in  t  [BLV06] .  In  essence,  the  assumption  says  that  non-determinism 
can  slightly  speed-up  computation,  and  that  the  non-deterministic  choices  can  be  found  efficiently, 
where  efficiency  is  measured  in  terms  of  the  original  deterministic  computation.  Although  we  have 
no  real  intuition  for  whether  this  assumption  is  true  or  false2,  it  seems  beyond  current  techniques 
to  contradict  it.  (As  far  as  we  know,  at  this  point,  there  is  no  substantial  evidence  that  even 
SUBEXP  %  NP.) 

Prom  P-certificates  to  0(l)-round  Concurrent  ZfC  Our  main  theorem  is  the  following. 

Theorem.  Assume  the  existence  of  families  of  collision-resistant  hash-functions  secure  against 
polynomial- size  cirucuits,  and  the  existence  of  a  strong  P -certificate  system  (resp.  a  statistically- 
sound  strong  P -certificate  system).  Then  there  exists  a  constant-round  concurrent  zero-knowledge 
argument  for  NP  with  uniform  soundness  (resp.  non-uniform  soundness).  Furthermore,  the  pro¬ 
tocol  is  public-coin  and  its  communication  complexity  depends  only  on  the  security  parameter  (but 
not  on  the  length  of  the  statement  proved). 

Our  protocol  is  a  variant  of  Barak’s  [BarOl]  non-black-box  zero-knowledge  argument  for  NP. 
As  mentioned  above,  Barak’s  original  protocol  already  handles  bounded- concurrent  composition; 
that  is,  it  remains  secure  under  an  a  priori  bounded  number  of  concurrent  executions.  In  con¬ 
trast,  our  protocol  handles  an  unbounded  number  of  executions,  but  relies  on  (seemingly)  stronger 
assumptions. 

Let  us  briefly  remark  that  from  a  theoretical  point  of  view,  we  find  the  notion  of  uniform 
soundness  of  interactive  arguments  as  well- motivated  as  the  one  of  non-uniform  soundness;  see 
e.g.,  [Gol93]  for  further  discussion.  From  a  practical  point  of  view  (and  as  is  often  the  case),  an 
asymptotic  treatment  of  soundness  is  not  needed  for  our  results,  even  in  the  uniform  setting:  our 
soundness  proof  is  a  constructive  black-box  reduction  that  (assuming  the  existence  of  families  of 
collision-resistant  hash- functions) ,  transforms  any  attacker  that  breaks  soundness  of  our  concurrent 
ZfC  protocol  on  a  single  security  parameter  1”  into  an  attacker  that  breaks  the  the  soundness  of  the 
P-certificate  systems  with  comparable  probability  on  the  same  security  parameter  1™,  with  only  a 
“small”  polynomial  overhead.  In  particular,  if  some  attacker  manages  to  break  the  soundness  of  a 
particular  instantiation  of  our  protocol  using  e.g.,  Micali’s  CS-proof  for  languages  in  P  implemented 
using  some  specific  hash  function  (e.g.,  SHA-256),  then  this  attacker  can  be  used  to  break  this 
particular  implementation  of  CS-proofs. 

Beyond  Concurrent  ZfC  Since  the  work  of  Barak  [BarOl],  non-black-box  simulation  techniques 
have  been  used  in  several  other  contexts  (e.g.,  [BGGL01,  DGS09,  BP12,  Lin03,  PR03a,  Pas04a, 
BS05,  GJ10].  We  believe  that  our  techniques  will  be  applicable  also  in  those  scenarios.  In  particular, 
in  Section  1.3,  we  show  that  our  protocols  directly  yield  a  constant-round  simultanously-resettable 
ZfC  [BGGL01,  DGS09]  for  NP,  and  discuss  applications  to  concurrent  secure  computation. 

2As  far  as  we  know,  the  only  evidence  against  it  is  that  it  contradicts  very  strong  forms  of  derandomization 
assumptions  [BLV06,  BOV07]. 
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1.2  Outline  of  Our  Techniques 

We  provide  a  detailed  outline  of  our  techniques.  We  warn  the  reader  that  this  outline  is  quite 
technical  and  assumes  the  reader  is  relatively  familiar  with  Barak’s  non-black-box  simulation  tech¬ 
nique. 

Let  us  start  by  very  briefly  recalling  the  idea  behind  Barak’s  protocol  (following  a  slight  variant 
of  this  protocol  due  to  [PR03b]).  Roughly  speaking,  on  common  input  1"  and  x  £  {0,  l}Poly(n);  the 
Prover  P  and  Verifier  V,  proceed  in  two  stages.  In  Stage  1,  P  starts  by  sending  a  computationally- 
binding  commitment  c  £  {0,  l}n  to  0n;  V  next  sends  a  “challenge”  r  £  {0,  l}2".  In  Stage  2,  P  shows 
(using  a  witness  indistinguishable  argument  of  knowledge)  that  either  x  is  true,  or  there  exists  a 
“short”  string  a  £  {0,  l}n  such  that  c  is  a  commitment  to  a  program  M  such  that  M(a)  =  r.3 

Soundness  follows  from  the  fact  that  even  if  a  malicious  prover  P*  tries  to  commit  to  some 
program  M  (instead  of  committing  to  0n),  with  high  probability,  the  string  r  sent  by  V  will 
be  different  from  M(a)  for  every  string  a  £  {0,  l}n.  To  prove  ZK,  consider  the  non-black-box 
simulator  S  that  commits  to  the  code  of  the  malicious  verifier  V*;  note  that  by  definition  it  thus 
holds  that  M(c)  =  r,  and  the  simulator  can  use  a  =  c  as  a  “fake”  witness  in  the  final  proof. 
To  formalize  this  approach,  the  witness  indistinguishable  argument  in  Stage  2  must  actually  be 
a  witness  indistinguishable  universal  argument  (WIUA)  [MicOO,  BG08]  since  the  statement  that  c 
is  a  commitment  to  a  program  M  of  arbitrary  polynomial-size,  and  that  M(c)  =  r  within  some 
arbitrary  polynomial  time,  is  not  in  NP. 

Now,  let  us  consider  concurrent  composition.  That  is,  we  need  to  simulate  the  view  of  a  verifier 
that  starts  m  =  poly(n )  concurrent  executions  of  the  protocol.  The  above  simulator  no  longer 
works  in  this  setting:  the  problem  is  that  the  verifier’s  code  is  now  a  function  of  all  the  prover 
messages  sent  in  different  executions.  (Note  that  if  we  increase  the  length  of  r  we  can  handle  a 
bounded  number  of  concurrent  executions,  by  simply  letting  a  include  all  these  messages). 

So,  if  the  simulator  could  commit  not  only  to  the  code  of  V* ,  but  also  to  a  program  M  that 
generates  all  other  prover  messages,  then  we  would  seemingly  be  done.  And  at  first  sight,  this 
doesn’t  seem  impossible:  since  the  simulator  S  is  actually  the  one  generating  all  the  prover  messages, 
why  don’t  we  just  let  M  be  an  appropriate  combination  of  S  and  V*?  This  idea  can  indeed  be 
implemented  [PR03b,  PRT11],  but  there  is  a  serious  issue:  if  the  verifier  “nests”  its  concurrent 
executions,  the  running-time  of  the  simulation  quickly  blows  up  exponentially — for  instance,  if  we 
have  three  nested  sessions,  to  simulate  session  3  the  simulator  needs  to  generate  a  WIUA  regarding 
the  computation  needed  to  generate  a  WIUA  for  session  2  which  in  turn  is  regarding  the  generation 
of  the  WIUA  of  session  1  (so  even  if  there  is  just  a  constant  overhead  in  generating  a  WIUA,  we  can 
handle  at  most  logn  nested  sessions). 

P-certificates  to  The  Rescue  Our  principal  idea  is  to  use  P-certificates  to  overcome  the  above- 
mentioned  blow-up  in  the  running  time.  On  a  very  high-level,  the  idea  is  that  once  the  simulator  S 
has  generated  a  P-certificate  it  to  certify  some  partial  computation  performed  by  S  in  a  particular 
session  i,  then  the  same  certificate  may  be  reused  (without  any  additional  “cost”)  to  certify  the 
same  computation  also  in  other  sessions  i'  ^  i.  In  essence,  by  reusing  the  same  P-certificates, 
we  can  amortize  the  cost  of  generating  them  and  may  then  generate  WlUA’s  about  WlUA’s  etc., 
without  blowing-up  the  running  time  of  the  simulator.  Let  us  briefly  mention  how  the  two  salient 

‘!We  require  that  C  is  a  commitment  scheme  allowing  the  committer  to  commit  to  an  arbitrarily  long  string 
m  £  {0,1}*.  Any  commitment  scheme  for  fixed-length  messages  can  easily  be  modified  to  handle  arbitrarily  long 
messages  by  asking  the  committer  to  first  hash  down  m  using  a  collision-resistant  hash  function  h  chosen  by  the 
receiver,  and  next  commit  to  h(m). 
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features  of  P-certificates,  namely  “non-interactivity”  and  “succinctness”,  are  used:  Without  non¬ 
interactivity,  the  same  certificate  cannot  be  reused  in  multiple  sessions,  and  without  succinctness, 
we  do  not  gain  anything  by  reusing  a  proof,  since  just  reading  the  proof  may  be  more  expensive 
than  verifying  the  statement  from  “scratch”. 

Implementing  the  above  high-level  idea,  however,  is  quite  non-trivial.  Below,  we  outline  our 
actual  implementation.  We  proceed  in  three  steps: 

1.  We  first  present  a  protocol  that  only  achieves  bounded-concurrent  ZJC,  using  P-certificates, 

2.  We  next  show  how  this  bounded-concurrent  protocol  can  be  slightly  modified  to  become  a 
(fully)  concurrent  ZK,  protocol  assuming  the  existence  of  so-called  unique  P -certificates — P- 
certificates  having  the  property  that  for  every  true  statement,  there  exists  a  single  accepting 
certificate. 

3.  In  the  final  step,  we  show  how  to  eliminate  the  need  for  uniqueness,  by  generating  P- 
certificates  about  the  generation  of  P-certificates  etc.,  in  a  tree-like  fashion. 

Step  1:  Bounded  Concurrency  Using  P-certificates  In  this  first  step,  we  present  a  (some¬ 
what  convoluted)  protocol  using  strong  P-certificates  that  achieves  m(-)-bounded  concurrency  (us¬ 
ing  an  even  more  convoluted  simulation).  As  mentioned,  Barak’s  original  protocol  could  already 
be  modified  to  handle  bounded  concurrency,  without  the  use  of  P-certificates;  but  as  we  shall  see 
shortly,  our  protocol  can  later  be  modified  to  handle  full  concurrency. 

The  protocol  proceeds  just  as  Barak’s  protocol  in  Stage  1  except  that  the  verifier  now  sends  a 
string  r  E  {0,  \}2m(n)n~  (instead  of  length  2 n).  Stage  2  is  modified  as  follows:  instead  of  having  P 
prove  (using  a  WIUA)  that  either  x  is  true,  or  there  exists  a  “short”  string  a  E  {0,  i}m(n)n  such 
that  c  is  a  commitment  to  a  program  M  such  that  M(a)  =  r,  we  now  ask  P  to  use  a  WIUA  to 
prove  that  either  x  is  true,  or 

•  commitment  consistency:  c  is  a  commitment  to  a  program  M±,  and 

•  input  certification:  there  exists  a  “short”  string  a  E  {0,  l}m(n)n;  and 

•  prediction  correctness:  there  exists  a  P-certificate  ir  of  length  n  demonstrating  that 
M\(o)  =  r. 

(Note  that  the  only  reason  we  still  need  to  use  a  universal  argument  is  that  there  is  no  a-priori 
upper-bound  on  the  length  of  the  program  M\ ;  the  use  of  the  P-certificate  takes  care  of  the  fact 
that  there  is  no  a-priori  upper-bound  on  the  running-time  of  M\,  though.)  Soundness  follows  using 
essentially  the  same  approach  as  above,  except  that  we  now  also  rely  on  the  strong  soundness  of 
the  P-certificate;  since  there  is  no  a-priori  upper-bound  on  neither  the  length  nor  the  running-time 
of  Mi,  we  need  to  put  a  cap  on  both  using  a  (slightly)  super-polynomial  function,  and  thus  to 
guarantee  soundness  of  the  concurrent  zero-knowledge  protocol,  we  need  the  P-certificate  to  satisfy 
strong  soundness. 

Let  us  turn  to  (bounded-concurrent)  zero-knowledge.  Roughly  speaking,  our  simulator  will 
attempt  to  commit  to  its  own  code  in  a  way  that  prevents  a  blow-up  in  the  running-time.  Recall 
that  the  main  reason  that  we  had  a  blow-up  in  the  running-time  of  the  simulator  was  that  the 
generation  of  the  WIUA  is  expensive.  Observe  that  in  the  new  protocol,  the  only  expensive  part  of 
the  generation  of  the  WIUA  is  the  generation  of  the  P-certificates  7 r;  the  rest  of  the  computation 
has  a-priori  bounded  complexity  (depending  only  on  the  size  and  running-time  of  V*).  To  take 
advantage  of  this  observation,  we  thus  have  the  simulator  only  commit  to  a  program  that  generates 
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Figure  1:  Simulation  using  P-certificates. 


prover  messages  (in  identically  the  same  way  as  the  actual  simulator),  but  getting  certificates  tt  as 
input. 

In  more  detail,  to  describe  the  actual  simulator  S,  let  us  first  describe  two  “helper”  simulators 
S± ,  S2  •  *51  is  an  interactive  machine  that  simulates  prover  messages  in  a  “right”  interaction  with 
V* .  Additionally,  Si  is  expecting  some  “external”  messages  on  the  “left” — looking  forward,  these 
“left”  messages  will  later  be  certificates  provided  by  S2 •  See  Figure  1  for  an  illustration  of  the 
communication  patterns  between  Si ,  S2  and  V* . 

Si  proceeds  as  follows  in  the  right  interaction.  In  Stage  1  of  every  session  i,  Si  first  commits  to 
a  machine  Si(f,  r)  that  emulates  an  interaction  between  Si  and  V*,  feeding  S 1  input  r  as  messages 
on  the  left,  and  finally  Si  outputs  the  verifier  message  in  the  j/!th  communication  round  in  the 
right  interaction  with  V* .  (Formalizing  what  it  means  for  Si  to  commit  to  Si  is  not  entirely  trivial 
since  the  definition  of  Si  depends  on  Si;  we  refer  the  reader  to  the  formal  proof  for  a  description  of 
how  this  circularity  is  broken.  Si  next  simulates  Stage  2  by  checking  if  it  has  received  a  message 
(j,TTj)  in  the  left  interaction,  where  j  is  the  communication  round  (in  the  right  interaction  with 
V*)  where  the  verifier  sends  its  random  challenge  and  expects  to  receive  the  first  message  of  Stage 
2;  if  so,  it  uses  Mi  =  Si  (and  the  randomness  it  used  to  commit  to  it),  j  and  a  being  the  list  of 
messages  received  by  Si  in  the  left  interaction,  as  a  ’’fake”  witness  to  complete  Stage  2. 

The  job  of  S2  is  to  provide  P-certificates  nj  for  Si  allowing  Si  to  complete  its  simulation.  S2 
emulates  the  interaction  between  Si  and  V* ,  and  additionally,  at  each  communication  round  j .  S2 
feeds  Si  a  message  (j,  nj)  where  iij  is  a  P-certificate  showing  that  Si(j,  cr<j)  =  rj,  where  <T<j  is  the 
list  of  message  already  generated  by  S2,  and  rj  is  the  verifier  message  in  the  j’th  communication 
round.  Finally,  S2  outputs  its  view  of  the  full  interaction. 

The  actual  simulator  S  just  runs  S2  and  recovers  from  the  view  of  S2  the  view  of  V*  and  outputs 
it.  Note  that  since  Si  has  polynomial  running-time,  generating  each  certificate  about  Si  (which  is 
just  about  an  interaction  between  Si  and  V*)  also  takes  polynomial  time.  As  such  S2  can  also  be 
implemented  in  polynomial  time  and  thus  also  S.  Additionally,  note  that  if  there  are  m{n)  sessions, 
the  length  of  a  is  at  most  0(m,{n)n)  <C  m{n)n 2 — for  each  of  the  m(n)  sessions,  and  for  each  round 
of  the  constant  number  of  rounds  in  each  session,  we  need  to  store  a  pair  (j,  it)  where  7 r  is  of  length 
n;  therefore,  the  simulation  always  succeeds  without  getting  “stuck”. 

Finally,  indistinguishability  of  this  simulation,  roughly  speaking,  should  follow  from  the  hiding 
property  of  the  commitment  in  Stage  1,  and  the  WI  property  of  the  WIUA  in  Stage  2.  Or  does  it? 
Note  that  since  Si  is  committing  to  its  own  code  (including  its  randomness),  it  is  committing  to  a 
message  that  depends  on  the  randomness  used  for  the  commitment.  (In  the  language  of  [BCPT12], 

4Roughly  speaking,  we  let  S 1  take  the  description  of  a  machine  M  as  input,  and  we  then  run  Si  on  input  M  =  Si. 
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this  constitutes  a  randomness-dependent  message  (RDM)  attack  on  the  commitment  scheme.)  This 
circularity  can  be  easily  overcome  (as  in  [PRT11])  by  simply  not  committing  to  the  randomness  of 
Si,  and  instead  providing  it  as  an  additional  input  to  S \  that  may  be  incorporated  in  <7;  without 
loss  of  generality,  we  may  assume  that  the  randomness  is  “short”  since  Si  can  always  use  a  PRG 
to  expand  it.  But  the  same  circularity  arises  also  in  the  WIU A,  and  here  a,  which  contains  the  seed 
used  to  generate  the  randomness  of  Si,  needs  to  be  an  input.  To  overcome  it,  we  here  require  Si 
to  use  a  forward-secure  PRG  [BY03]  to  expand  its  randomness;  roughly  speaking,  a  forward-secure 
PRG  ensures  that  ’’earlier”  chunks  of  the  output  of  the  PRG  are  indistinguishable  from  random, 
even  if  a  seed  generating  the  ’’later”  ones  is  revealed.  We  next  have  Si  use  a  new  chunk  of  the 
output  of  the  PRG  to  generate  each  new  message  in  the  interaction,  but  uses  these  chunk  in  reverse 
order  (i.e.,  in  step  1,  the  last  chunk  of  the  output  of  the  PRG  is  used,  etc.);  this  means  that  we 
can  give  proofs  about  ’’earlier”  computations  of  Si  (which  requires  knowing  a  seeds  expanding 
the  randomness  used  in  the  computation)  while  still  guaranteeing  indistinguishability  of  ’’later” 
messages.5 

Step  2:  Full  Concurrency  using  Unique  P-certificates  The  reason  that  the  above  approach 
only  yields  a  bounded  concurrent  zero- knowledge  protocol  is  that  for  each  new  session  i,  we  require 
S-2  to  provide  Si  with  new  certificates,  which  thus  grows  the  length  of  a.  If  we  could  somehow  guar¬ 
antee  that  these  certificates  are  determined  by  the  statement  proved  in  the  WIU  A,  then  soundness 
would  hold  even  if  a  is  long.  Let’s  first  sketch  how  to  do  this  when  assuming  the  existence  of  unique 
strong  P-certificates — that  is,  P-certificates  having  the  property  that  for  each  true  statement  x, 
there  exists  a  single  proof  7 r  that  is  accepted.  (We  are  not  aware  of  any  candidates  for  unique 
P-certificates,  but  using  them  serves  as  a  simpler  warm-up  for  our  actual  protocol.)  We  simply 
modify  the  input  certification  and  prediction  correction  conditions  in  the  WIU  A  to  be  the  following: 

•  input  certification:  there  exists  a  vector  A  =  ((1, 7Ti),  (2, 7^), . . .)  and  a  vector  of  messages 
to  such  that  7 q  certifies  that  M\  (A<j)  output  nij  in  its  j’th  communication  round,  where 
A<j  =  ((1, 7Ti),  •  •  • ,  (j  -  1,  TTj- 1)),  and 

•  prediction  correctness:  there  exists  a  P-certificate  7r  of  length  n  demonstrating  that 
Mi  (A)  =  r. 

Soundness  of  the  modified  protocol,  roughly  speaking,  follows  since  by  the  unique  certificate  prop¬ 
erty,  for  every  program  M\  it  inductively  follows  that  for  every  j,  rrij  is  uniquely  defined,  and  thus 
also  the  unique  (accepting)  certificate  7 Tj  certifying  Mi(A<j)  =  rrij ;  it  follows  that  Mi  determines  a 
unique  vector  A  that  passes  the  input  certification  conditions,  and  thus  there  exists  a  single  r  that 
make  M\  also  pass  the  prediction  correctness  conditions.  Zero-knowledge,  on  the  other  hand,  can 
be  shown  in  exactly  the  same  way  as  above  (using  Si,  S2),  but  we  can  now  handle  also  unbounded 
concurrency  (since  there  is  no  longer  a  restriction  on  the  length  of  the  input  A). 

Step  3:  Full  Concurrency  Using  (Plain)  P-certificates  Let  us  finally  see  how  to  implement 
the  above  idea  while  using  “plain”  (i.e.,  non-unique)  P-certificates.  The  above  protocol  is  no  longer 
sounds  since  we  cannot  guarantee  that  the  proofs  TTj  are  unique,  and  thus  the  messages  mj  may  not 
be  unique  either,  which  may  make  it  possible  for  an  attacker  to  pass  the  “prediction  correctness” 
condition  (without  knowing  the  code  of  V*)  and  thus  break  soundness.  A  natural  idea  would 

'Although  the  language  of  forward-security  was  not  used,  it  was  noticed  in  [PR03b]  that  GGM’s  pseudo-random 
function  [GGM86]  could  be  used  to  remove  circularity  in  situations  as  above.  A  related  trick  is  used  in  the  contem¬ 
porary  work  of  [CLP  12]. 
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thus  be  to  ask  the  prover  to  commit  to  a  machine  M2  (which  in  the  simulation  will  be  a  variant 
of  £2)  that  produces  the  certificates  nj,  and  then  require  the  prover  to  provide  a  ”  second- level” 
certificate  that  the  ’’first-level”  certificates  were  generated  (deterministically)  by  running  M2.  But 
have  we  really  gained  anything?  Now,  to  perform  the  simulation,  we  need  to  provide  the  second- 
level  certificates  as  input  to  both  M\  and  M2;  however,  for  these  second- level  certificates,  we  have 
no  guarantees  that  they  were  deterministically  generates  and  again  there  is  no  a-prior  upper  bound 
on  the  number  of  such  certificates,  so  it  seems  we  haven’t  really  gained  anything. 

Our  main  observation  is  that  a  single  ”  second- level”  certificate  can  be  used  to  to  certify  the 
(deterministic  generation)  of  n  ’’first-level” certificates.  And  a  sequence  of  n  “second- level”  cer¬ 
tificates  can  be  certified  by  a  single  “third-level”  certificate,  etc.  At  each  level,  there  will  be  less 
than  n  certificates  that  are  not  certified  by  a  higher-level  certificate;  we  refer  to  these  as  “dan¬ 
gling”  certificates.  See  Figure  2  for  an  illustration  of  the  tree  structure,  and  certified  and  dangling 
certificates. 


Figure  2:  An  illustration  of  the  tree  structure  for  generating  P-certificates.  Nodes  that  are  not 
circled  are  “certified”  certificates;  nodes  that  are  circled  are  “dangling”  certificates. 

Note  that  since  the  number  of  messages  in  the  interaction  with  V*  is  polynomially  bounded,  we 
only  have  a  polynomial-number  of  level- 1  certificates,  and  thus,  the  above  higher- level  certification 
process  does  not  go  beyond  a  constant  number  of  levels  (at  each  level  we  need  a  factor  of  n  less 
certificates).  Finally,  note  that  the  total  number  of  “dangling”  (uncertified)  certificates  is  bounded 
by  the  number  of  levels  times  n  (and  is  thus  bounded  by,  say,  n2 .)  This  means  that  all  the  dangling 
certificates  may  be  provided  as  a  “short”  input  <7  to  the  committed  program,  and  all  the  certified 
certificates  can  be  provided  as  a  “long”  (but  certified  deterministically  generated)  input  A. 

Let  us  explain  this  idea  more  closely  using  only  second-level  certificates;  this  still  only  gives  us 
bounded-concurrency,  but  we  may  now  handle  0(m(n)n)  sessions  (instead  of  just  m(n)).  (More 
generally,  if  we  use  fc-levels  of  certification,  we  can  handle  m{n)nk  sessions.)  We  now  change  Stage 
2  of  the  protocol  to  require  P  to  use  a  WIUA  to  prove  that  either  x  is  true,  or 

•  commitment  consistency:  c  is  a  commitment  to  programs  Mi,  M2,  and 

•  input  certification:  there  exists 

—  a  vector  of  ’’certified  level-1  certificates”  A1  =  ((1, 7Ti),  (2, 7^), . . . ,  (an,  nan)), 

—  a  ’’small”  number  of  ’’dangling  level- 1  certificates”  a1  =  (<tJ,  cr\,  •  •  • ,  crj, ) ,  where  j'  <  n 
and  for  each  j  <  j' .  aj  G  {0,  l}n, 

—  a  <  m(n )  level-2  certificates  a2  =  (<r^,  a2n,  ■  ■  ■ ,  cr2n)  where  for  each  j  <  a,  a2n  G  {0,  l}n, 


such  that, 

—  a2n  certifies  that  M2(cr<an)  generates  the  certificates  A1, 
and 

•  prediction  correctness:  there  exists  a  P-certificate  7 r  of  length  n  demonstrating  that 
Mi  (A1,  a1,  a2)  =  r. 

Soundness  of  this  protocol  follows  since  the  total  length  of  “arbitrary”  (not  deterministic)  input  is 
bounded  by  (m(n)+n)n  <C  m(n)n2.  m(n)n-bounded  concurrent  zero-knowledge  on  the  other  hand, 
roughly  speaking,  follows  by  letting  M\  be  as  above  (i.e.,  Si)  and  M2  be  a  variant  of  the  simulator 
S2  that  outputs  all  the  certificates  generated  by  S2.  We  then  define  a  simulator  S3  responsible 
for  generating  second- level  certificates  for  S2,  and  finally  outputs  its  full  view  of  the  interaction. 
The  final  simulator  S  runs  S3  and  outputs  the  view  of  V*  in  the  interaction.  See  Figure  3  for  an 
illustration  of  the  communication  patterns  of  Si,  S2,  S3  and  V*. 


Figure  3:  Simulation  using  second-level  P-certificates. 


Note  that  as  long  as  there  are  less  than  m(ri)n  message  in  the  interaction  with  V*,  the  number 
of  first-level  certificates  is  bounded  by  m(n)n,  and  thus  we  have  enough  “spots”  for  second-level 
certificates  (in  a2)  to  perform  the  simulation. 

In  the  final  protocol,  we  instead  have  the  simulator  commit  to  a  sequence  Mi,  M2 , ...  of  machine; 
roughly  speaking,  M\  will  be  as  above,  M2  is  responsible  for  generating  first-level  certificates  (while 
receiving  level  k  >  1  certificates  externally),  M3  will  be  responsible  for  generating  second- level 
certificates  (while  receiving  level  k  >  2  certificates  externally),  etc.  Note  that  although  there  is  a 
(potentially)  exponential  blow-up  in  the  time  needed  to  generate  higher- level  certificates,  since  we 
only  have  a  constant-number  of  levels,  simulation  can  be  performed  in  polynomial-time. 
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1.3  Applications 

Our  techniques  are  useful  also  beyond  concurrent  ZK.  For  instance,  by  applying  the  transformation 
of  [BGGL01]  to  our  protocol,  we  directly  get  a  constant-round  resettably-sound  concurrent  ZK.  By 
additionally  applying  the  transformation  of  [DGS09]  to  the  resulting  resettably-sound  concurrent 
ZK  protocol,  we  get  a  constant-round  simultanously-resettable  ZK  protocol. 

For  another  application,  a  recent  results  by  Goyal  on  concurrent  secure  computation  [Goyl2], 
demonstrates  classes  of  two-party  functionalities  that  can  be  securely  computed  in  a  concurrent 
“single-input”  setting — that  is,  we  consider  a  “client-server”  setting,  where  the  (honest)  server 
is  using  the  same  input  in  all  concurrent  sessions.  By  using  our  simulation  techniques,  we  can 
get  a  very  crisp  condition  on  the  class  of  functions  that  can  be  securely  computed  in  this  set¬ 
ting  (that  significantly  expands  beyond  the  class  considered  in  [Goyl2])  :  any  function  /  for 
which  there  exists  an  efficient  procedure  M  that  on  input  an  arbitrary  polynomial  sequence 
(x\,  (x2,  f(x2,y)),  ■  ■  ■  (xm,  f(xm,y))  can  output  a  circuit  of  a-priori  bounded  (indepen¬ 

dent  of  m)  size  C  and  an  input  y'  of  a-priori  bounded  length  such  that  for  every  i  £  [to], 
f(xi,y)  =  C(xi,y').  Note  that  if  there  exists  an  efficient  procedure  for  finding  the  input  y  (i.e., 
inverting  the  function  f'(x\,  X2,  ■  ■  ■  xm,  y)  =  f(xi,y)...f(xm,y)),  then  this  condition  is  trivially 
satisfied  by  simply  setting  C  =  f,y  =  y' .  (We  remark  that  this  condition  very  related  to  the 
“bounded-entropy”  conjecture  of  [Goyl2].)  This  result  is  obtained  by  simply  plugging-in  our 
concurrent  ZK,  protocol  into  the  bounded-concurrent  secure  two-party  computation  protocol  of 
[Pas04b]  and  noticing  that  once  “straight-line”  concurrent  ZK  simulation  is  achieved  (as  it  is  in 
our  protocol),  the  only  obstacle  for  fully  concurrent  simulation  is  the  need  to  “compress”  outputs 
from  trusted  party  computing  /;  the  above  condition  stipulates  that  such  a  compression  is  always 
possible.  (We  expand  on  these  result  in  the  final  version  of  the  paper.) 

1.4  Related  Work 

We  provide  a  detailed  discussion  of  some  other  related  works: 

•  As  mentioned  in  the  introduction,  constant-round  concurrent  zero-knowledge  protocols  with 
super-polynomial-time  simulators  have  been  constructed  in  the  plain  model  [Pas03a,  PV08]. 
For  the  protocol  of  [Pas03a],  the  only  super-polynomial-time  “advantages”  needed  by  the 
simulator  is  to  find  a  pre-image  x'  =  f~1(y)  to  any  point  y  output  by  the  malicious  verifier 
V*,  as  long  as  y  actually  is  in  the  range  of  some  one-way  function  /.  If  we  assume  that  the 
only  way  for  V*  to  output  some  y  in  the  range  of  /  is  by  applying  /  to  an  input  x  that  it 
explicitly  knows,  then  the  protocol  of  [Pas03a]  is  concurrent  zero-knowledge.  A  problem  with 
formalizing  this  is  that  V*  may  already  get  some  string  y  =  f(x)  as  its  auxiliary  input  and 
thus  may  not  know  x.  As  in  the  literature  on  “knowledge-of-exponent”-type  extractability 
assumptions  (see  e.g.,  [Dam91,  HT98,  BP04b,  CD09,  BCCT12a,  DFH12,  GLR11]),  this  issue 
can  be  resolved  by  having  the  prover  select  the  one-way  function  /  from  a  family  T  of  one-way 
functions.  Now  the  extractability  assumption  we  need  is  that  for  every  polynomial-time  oracle 
machine  M,  there  exists  some  polynomial-time  machine  M'  such  that  given  any  z  £  {0, 1}*, 
and  uniformly  selected  functions  f  =  /i,  •  •  •  /poiy(n)  €  T,  M°^(ln,z,/)  and  M'(ln,z,  f) 
generate  the  same  output,  where  0(f)  is  an  oracle  that  inverts  the  functions  in  /.  In  other 
words,  we  are  assuming  that  in  the  simulation,  the  simulator  together  with  the  verifier  can 
— in  polynomial-time — emulate  the  one-way  function  inverter  used  in  [Pas03a].  Note  that  the 
above  extractability  assumption  is  stronger  than  the  typical  “knowledge-of-exponent”-type 
extractability  assumptions  since  we  require  simultaneous  extractability  of  many  images  y 
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that  are  chosen  adaptively  by  the  adversary.6  However,  as  shown  in  [Pas03b],  any  sufficiently 
length-expanding  random  oracle  satisfies  exactly  such  an  extractability  assumption — this  was 
used  in  [Pas03a]  to  construct  a  concurrent  ZfC  protocol  in  the  “non-programmable”  random 
oracle  model. 

One  important  difference  between  the  above  approach  and  our  work  is  that  we  here  provide 
an  explicit  concurrent  ZIC  simulator.  The  above-mentioned  approach  simply  assumes  that 
such  a  simulator  exists;  and,  even  if  the  assumption  is  true,  it  is  not  clear,  how  to  find  it.  In 
particular,  for  the  purpose  of  deniability  (see  e.g.,  [DNS04,  Pas03b])  it  is  not  clear  whether 
the  approach  based  on  “extractability”  assumptions  provides  sufficient  guarantees  (unless  an 
explicit  simulator  strategy  is  found). 

•  Barak,  Lindell  and  Vadhan  [BLV06]  show  that  under  the  assumptions  that  1)  DTIME(n“  «)  C 
NP  and  2)  NP  proofs  for  statements  in  DTIME(t)  can  be  found  in  time  polynomial  in  t, 
2-round  proof  exists  that  are  zero-knowledge  for  uniform  verifiers  that  do  not  receive  any 
auxiliary  input.  Their  zero- knowledge  simulator  is  non-black-box.  As  mentioned  in  the 
introduction,  the  above-mentioned  assumptions  imply  the  existence  of  statistical  strong  P- 
certificates.  We  note  that  the  protocol  of  [BLV06]  is  not  known  to  be  concurrent  (or  even 
sequential)  zero-knowledge,  even  with  respect  to  uniform  malicious  verifiers. 

•  Contemporary  work  by  Canetti,  Lin  and  Paneth  [CLP12]  constructs  a  public-coin  concur¬ 
rent  zero-knowledge  protocol  using  non-black-box  simulation  techniques7.  As  shown  by 
Pass,  Tseng  and  Wikstrom  [PTW11],  public-coin  concurrent  (and  in  fact  even  parallel)  zero- 
knowledge  protocols  require  non-black-box  simulation,  no  matter  what  the  round-complexity 
is.  The  protocol  of  [CLP12]  is  in  the  “non-programmable”  CRS  model  of  [Pas03a]  but  as 
showed  in  [Pas03a]  black-box  separation  of  the  Goldreich-Krawczyk  [GK96]  type  (and,  in 
particular,  the  [PTW11]  one,  falls  into  this  category)  extend  also  to  zero-knowledge  in  the 
non-programmable  CRS  model;  thus  non-black-box  simulation  is  necessary  also  for  their  re¬ 
sult.  In  contrast  to  our  protocol,  theirs,  however,  requires  0(log1+en)  number  of  rounds  for 
arbitrarily  small  constant  e,  but  instead  only  relies  on  the  existence  of  families  of  collision- 
resistant  hash  functions.  (Additionally,  [CLP12]  note  that  if  assuming  the  existence  of  a 
single  hash  function  that  is  collision-resistant  against  uniform  adversaries,  their  protocol  can 
be  instantiated  also  in  the  plain  model  with  uniform  soundness.) 

On  a  technical  level,  both  our  work  and  theirs  provide  methods  for  overcoming  the  exponential 
blow-up  in  the  simulation  time  when  dealing  with  non-black-box  simulations,  but  the  actual 
details  of  the  methods  are  very  different:  [CLP12]  increases  the  round-complexity  to  tackle 
this  blow-up,  and  relies  on  ideas  from  the  literature  on  concurrent  zero- knowledge  with  black¬ 
box  simulation  [RK99,  KP01,  PRS02];  as  a  result,  their  techniques  only  apply  in  the  context  of 
super-logarithmic  round  protocols.  In  contrast,  we  rely  on  P-certificates  to  overcome  the  blow¬ 
up  and  obtain  a  constant-round  protocol.  (We  also  mention  that  our  protocol  can  be  modified 
in  a  straight-forward  way  to  achieve  non-uniform  soundness  in  the  non-programmable  CRS 
model,  by  using  2-round  P-certificates  (that  are  sound  against  non-uniform  polynomial-time) 
and  simply  having  the  first  message  of  the  P-certificate  be  fixed  as  the  CRS.) 

•  A  recent  work  by  Bitansky,  Canetti,  Chiessa,  Trorner  [BCCT12b]  present  techniques  for  com¬ 
posing  SNARKs  (succinct  non-interactive  arguments  of  knowledge)  for  NP;  roughly  speaking, 

6  On  the  other  hand,  it  is  weaker  that  most  other  usages  of  extractability  in  it  requires  less  structure  from  the 
function  (i.e. ,  only  one-wayness). 

'Our  results  and  theirs  were  developed  in  parallel. 
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[BCCT12b]  shows  that  if  for  some  sufficiently  iarge  c,  any  non- deterministic  nc  computation 
can  be  proved  using  an  “argument  of  knowledge”  of  length  n  that  can  be  verified  in  time  n 2 , 
then  for  any  d,  every  non-deterministic  n^-time  computation  can  be  also  be  proved  (using  a 
SNARK  of  length  n  that  can  be  verified  in  time  n2).  This  is  achieved  by  having  the  prover 
first  generate  a  SNARK  for  each  subcomputation  of  nc  steps,  and  then  for  each  “chunk”  of  n 
SNARKs,  having  the  prover  prove  that  it  knows  SNARKs  that  are  accepted  for  all  these  sub¬ 
computations,  and  so  on  in  a  tree-like  fashion.  Finally,  the  prover  only  provides  the  verifier 
with  a  “top-level”  SNARK  that  it  knows  lower-level  SNARKs  that  proves  that  it  knows  even 
lower-level  SNARKs  etc.  This  type  of  proof  composition  was  previously  also  used  by  Valiant 
[Val08].  To  prove  that  this  type  of  composition  works  it  is  crucial  to  work  with  languages 
in  NP  (since  we  are  proving  statements  about  the  existence  of  some  SNARKs);  additionally, 
it  is  crucial  that  we  are  dealing  with  arguments  of  knowledge — SNARKs  of  false  statements 
may  exists,  so  to  guarantee  soundness,  the  prover  needs  to  show  that  not  only  appropriate 
SNARKs  exists,  but  also  that  it  “knows”  them. 

At  a  superficial  level,  our  simulator  strategy  also  uses  a  tree  of  “proofs” .  However,  rather  than 
proving  knowledge  of  lower-level  “proofs”  etc,  in  our  approach,  higher-level  P-certificates  are 
only  used  to  demonstrate  that  lower-level  P-certificates  have  been  deterministically  generated. 
As  a  consequence,  we  do  not  need  to  certify  non-deterministic  computations;  additionally,  we 
do  not  need  the  certificates  to  satisfy  an  argument  of  knowledge  property.  Indeed,  this  is 
what  allows  us  to  base  P-certificates  on  a  falsifiable  assumption. 
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2  Preliminaries 

Let  A f  denote  the  set  of  positive  integers,  and  [n]  denote  the  set  {1,2,...,  n}.  We  denote  by  PPT 
probabilistic  polynomial  time  Turing  machines.  We  assume  familiarity  with  interactive  Turing 
machines,  denoted  ITM,  interactive  protocols.  Given  a  pair  of  ITMs,  A  and  B,  we  denote  by 
(A(x),  B(y))(z)  the  random  variable  representing  the  (local)  output  of  B,  on  common  input  2  and 
private  input  y,  when  interacting  with  A  with  private  input  x,  when  the  random  tape  of  each 
machine  is  uniformly  and  independently  chosen,  and  Views  (A(x),  B(y)}  (z)  the  random  variable 
representing  B' s  view  in  such  an  interaction.  The  term  negligible  is  used  for  denoting  functions 
that  are  (asymptotically)  smaller  than  one  over  any  polynomial.  More  precisely,  a  function  zz(-) 
from  non- negative  integers  to  reals  is  called  negligible  if  for  every  constant  c  >  0  and  all  sufficiently 
large  n,  it  holds  that  v{n)  <  n~c. 

2.1  Witness  Relations 

We  recall  the  definition  of  a  witness  relation  for  a  NP  language  [GolOl]. 
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Definition  1  (Witness  relation).  A  witness  relation  for  a  language  L  £  NP  is  a  binary  relation 
Rl  that  is  polynomially  bounded,  polynomial  time  recognizable  and  characterizes  L  by  L  =  {x  : 
3ys.t.  (x,y)  £  RL} 

We  say  that  y  is  a  witness  for  the  membership  x  £  L  if  (x,y)  £  Rl-  We  will  also  let  Rl(x) 
denote  the  set  of  witnesses  for  the  membership  x  £  L,  i.e.,  Rl(x)  =  {y  :  (x,y)  £  L}.  In  the 
following,  we  assume  a  fixed  witness  relation  Rl  for  each  language  L  £  NP. 

2.2  Computational  Indistinguishability 

The  following  definition  of  computational  indistinguishability  originates  in  the  seminal  paper  of 
Goldwasser  and  Micali  [GM84],  Let  A  be  a  countable  set  of  strings.  A  probability  ensemble  indexed 
by  A  is  a  sequence  of  random  variables  indexed  by  A.  Namely,  any  element  of  A  =  {Ax}x£x  is  a 
random  variable  indexed  by  X. 

Definition  2  (Indistinguishability).  Let  A  be  a  countable  set.  Two  ensembles  {An^x}n&x,xex  and 
{Bn,x}neN,x£X  are  said  to  be  computationally  indistinguishable  over  N  if  for  every  probabilistic 
machine  D  (the  distinguisher)  whose  running  time  is  polynomial  in  its  first  input,  there  exists  a 
negligible  function  u(-)  so  that  for  every  n  £  N  and  x  £  A: 

|Pr  [a  £-  AHtX  :  D( ln,  x,  a)  =  1]  -  Pr  [ b  <-  Bn,x  :  D( ln,  x,  b)  =  1]|  <  u(n) 

2.3  Interactive  Proofs  and  Arguments 

We  recall  the  standard  definitions  of  interactive  proofs  [GMR89]  and  arguments  (a.k.a  computa¬ 
tionally  sound  proofs)  [BCC88].  In  our  definition  of  arguments,  we  distinguish  between  uniform 
soundness,  where  soundness  only  needs  to  hold  against  a  uniform  probabilistic  polynomial-time 
algorithms,  and  non-uniform  soundness,  where  it  holds  against  non-uniform  polynomial-time  algo¬ 
rithms.  Typically,  in  the  literature  on  zero- knowledge  argument,  non-uniform  soundness  is  more 
commonly  used  (but  there  are  exceptions,  see  e.g.,  [BP04a]).  We  find  the  uniform  model  of  com¬ 
putation  as  well-motivated  as  the  non-uniform  one;  see  e.g.,  [Gol93]. 

Definition  3  (Interactive  Proof  System).  A  pair  of  interactive  machines  (P.V)  is  called  an  inter¬ 
active  proof  system  for  a  language  L  if  there  is  a  negligible  function  u(-)  such  that  the  following 
two  conditions  hold: 

•  Completeness:  For  every  n  £  N,  x  £  L,  and  every  w  £  Rl(x), 

Pr[(P(w),V)(ln,x)  =  1]  =  1 

•  Soundness:  For  every  pair  of  machines  B i,  L>2  and  every  n  £  N, 

Pr[(x,  z)  £-  L>i(ln)  :  x  L  A  ( B2(z ),  F)(ln,  x)  =  1]  <  v{ri) 

If  the  soundness  condition  only  holds  against  all  polynomial-time  (resp.  non-uniform  polynomial¬ 
time)  machines  Bi,B2,  the  pair  (P,V)  is  called  a  uniformly-sound  (resp.  non-uniformly  sound) 
interactive  argument  system. 
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2.4  Witness  Indistinguishability 

An  interactive  protocol  is  witness  indistinguishable  (WI)  [FS90]  if  the  verifier’s  view  is  “indepen¬ 
dent”  of  the  witness  used  by  the  prover  for  proving  the  statement. 

Definition  4  (Witness-indistinguishability).  An  interactive  protocol  (P,V)  for  L  £  NP  is  witness 
indistinguishable  for  Ri  if  for  every  PPT  adversarial  verifier  V* ,  and  for  every  two  sequences 

{wn,x}neN,xeL n{0,i}polyW  and  {wn,x}neN,xeLn{o,i}poly(n) ’  such  that  G  Rl(x)  for  every 

n  £  N  and  x  £  Lfl{0,  i}Poly(n))  the  following  ensembles  are  computationally  indistinguishable  over 
N: 

•  {Viewv*  (P(wn,x),  V  (z))  (1  ,  ®)}ngAria;gin{o,i}po!!'(n),2:e{o,i}* 

•  {View,,*  (P(w2nx),V*(z))  {ln,x)}neNj 

a;ein{o,i}p°^(n),ze{o,i}* 

2.5  Commitment  Schemes 

Commitment  protocols  allow  a  sender  to  commit  itself  to  a  value  while  keeping  it  secret  from 
the  receiver;  this  property  is  called  hiding.  At  a  later  time,  the  commitment  can  only  be  opened 
to  a  single  value  as  determined  during  the  commitment  protocol;  this  property  is  called  binding. 
Commitment  schemes  come  in  two  different  flavors,  statistically  binding  and  statistically  hiding;  we 
only  make  use  of  statistically  binding  commitments  in  this  paper.  Below  we  sketch  the  properties 
of  a  statistically  binding  commitment;  full  definitions  can  be  found  in  [GolOl]. 

In  statistically  binding  commitments,  the  binding  property  holds  against  unbounded  adver¬ 
saries,  while  the  hiding  property  only  holds  against  computationally  bounded  (non-uniform)  ad¬ 
versaries.  The  statistical-binding  property  asserts  that,  with  overwhelming  probability  over  the 
randomness  of  the  receiver,  the  transcript  of  the  interaction  fully  determines  the  value  committed 
to  by  the  sender.  The  computational-hiding  property  guarantees  that  the  commitments  to  any  two 
different  values  are  computationally  indistinguishable. 

Non-interactive  statistically-binding  commitment  schemes  can  be  constructed  using  any  one-to- 
one  one-way  function  (see  Section  4.4.1  of  [GolOl]).  Allowing  some  minimal  interaction  (in  which 
the  receiver  first  sends  a  single  random  initialization  message),  statistically-binding  commitment 
schemes  can  be  obtained  from  any  one-way  function  [Nao91,  HILL99]. 

2.6  Universal  Arguments 

Universal  arguments  (introduced  in  [BG08]  and  closely  related  to  the  notion  of  CS-proofs  [MicOO]) 
are  used  in  order  to  provide  “efficient”  proofs  to  statements  of  the  universal  language  Lu  with 
witness  relation  defined  in  [BG08,  MicOO].  A  triplet  y  =  ( M,x,t )  £  Lu  if  the  non-deterministic 
machine  M  accepts  input  X  within  t  <  T(|x|)  steps,  for  a  slightly  super-polynomial  function 
T(n)  =  n,loslogn.  We  denote  by  Tm(x,w )  the  running  time  of  M  on  input  x  using  the  witness  w. 
Notice  that  every  language  in  NP  is  linear  time  reducible  to  Lu-  Thus,  a  proof  system  for  Lu 
allows  us  to  handle  all  NP-statements.  Below  we  recall  the  definition  in  [BG08]. 

Definition  5  (Universal  argument).  A  pair  of  interactive  Turing  machines  (P,V)  is  called  a  uni¬ 
versal  argument  system  if  it  satisfies  the  following  properties: 

•  Efficient  verification:  There  exists  a  polynomial  p  such  that  for  any  y  =  ( M,x,t ),  the  total 
time  spent  by  the  (probabilistic)  verifier  strategy  V,  on  common  input  1”,  y,  is  at  most 
p(n  +  |y|).  In  particular,  all  messages  exchanged  in  the  protocol  have  length  smaller  than 
p(n+  |y|). 
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•  Completeness  by  a  relatively  efficient  prover:  For  every  n  £  N ,  y  =  (M,  x,  t )  £  Ly  and  w  in 

Rw(y), 

Pi[(P(w),V)(ln,(M,x,t))  =  l]  =  l 

Furthermore,  there  exists  a  polynomial  q  such  that  the  total  time  spent  by  P(w),  on  common 
inputs  ln  and  (M,  x,  t ),  is  at  most  q(n  +  |y|  +  Tm(x,  vj))  <  q(n  +  \y\  +  t ). 

•  Computational  Soundness:  For  every  polynomial  size  circuit  family  {P*}n£N,  there  is  a  neg¬ 
ligible  function  v.  such  that,  for  every  n  £  N  and  every  triplet  ( M,x,t )  £  {0,  l}Poly(n)  \ 

Pr[(PZ,V){ln,(M,x,t))  =  l]<v(n) 

•  Weak  proof  of  knowledge:  For  every  positive  polynomial  p  there  exists  a  positive  polynomial 
p'  and  a  probabilistic  polynomial-time  oracle  machine  E  such  that  the  following  holds:  for 
every  polynomial-size  circuit  family  {P*}n£N,  every  sufficiently  large  n  £  N  and  every  y  = 
(M,  x,  t)  £  {0,l}Poly(n)  if  Pr[(P*,  F)(ln,  y)  =  1]  >  1  /p(n)  then 

Pr[3w  =  wi, . .  .wt  £  Bu(y)  s.t.  Vi  £  [t\,  Pf"  (1",  y,  i)  =  wt]  >  — 
r  p'(n) 

dof  jo* 

where  R u(y)  =  {ic  :  ( y,w )  £  R/y}  and  Ern(-,  ■,  •)  denotes  the  function  defined  by  hxing  the 
random-tape  of  E  to  equal  r,  and  providing  the  resulting  Er  with  oracle  access  to  P*. 

The  weak  proof-of-knowledge  property  of  universal  arguments  only  guarantees  that  each  indi¬ 
vidual  bit  Wi  of  some  witness  w  can  be  extracted  in  probabilistic  polynomial  time.  Given  an  input 
ln  and  y  =  (. M,x,t )  in  Ly  n  {0,  l}poly  n\  since  the  witness  w  £  R u{y)  is  of  length  at  most  t,  it 
follows  that  there  exists  a  extractor  running  in  time  polynomial  in  poly(n)  •  t  that  extracts  the 
whole  witness;  we  refer  to  this  as  the  global  proof-of-knowledge  property  of  a  universal  argument. 

The  notion  of  witness  indistinguishability  of  universal  argument  for  R^  is  defined  similarly 
as  that  for  interactive  proofs/arguments  for  NP  relations;  we  refer  the  reader  to  [BG08]  for  a 
formal  definition.  [BG08]  (based  on  [MicOO,  Kil95] )  presents  a  witness  indistinguishable  universal 
argument  based  on  the  existence  of  families  of  collision-resistant  hash  functions. 

2.7  Concurrent  Zero-Knowledge 

An  interactive  proof  is  said  to  be  zero-knowledge  if  it  yields  nothing  beyond  the  validity  of  the 
statement  being  proved  [GMR89]. 

Definition  6  (Zero-knowledge).  An  interactive  protocol  {P,V)  for  language  L  is  zero-knowledge 
if  for  every  PPT  adversarial  verifier  V*,  there  exists  a  PPT  simulator  S  such  that  the  following 
ensembles  are  computationally  indistinguishable  over  n  £  N: 

•  {Viewv-*  {P(w),V*(z)}  (ln,  x)}r)ejv,a;eI/n{0,l}po,2/(7l),-we/?L(a:),ze{0,l}poly(n) 

•  {S(l",*,z)}n6Ni  x£Lr{0,l}P°ly(n'),w£RL(x),z£{0,l}poly(-n') 

In  this  work  we  consider  the  setting  of  concurrent  composition.  Given  an  interactive  protocol 
(P,  V)  and  a  polynomial  m,  an  m-session  concurrent  adversarial  verifier  V*  is  a  PPT  machine  that, 
on  common  input  x  and  auxiliary  input  z,  interacts  with  up  to  m(|a;|)  independent  copies  of  P 
concurrently.  The  different  interactions  are  called  sessions.  There  are  no  restrictions  on  how  V* 
schedules  the  messages  among  the  different  sessions,  and  V*  may  choose  to  abort  some  sessions 
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but  not  others.  For  convenience  of  notation,  we  overload  the  notation  Viewv-*  (P,V*(z))  (ln,x)  to 
represent  the  view  of  the  cheating  verifier  V*  in  the  above  mentioned  concurrent  execution,  where 
K*’s  auxiliary  input  is  z,  both  parties  are  given  common  input  ln,  x  G  L,  and  the  honest  prover 
has  a  valid  w  witness  of  x. 

Definition  7  (Concurrent  Zero-Knowledge  [DNS04]).  An  interactive  protocol  (P,V)  for  language 
L  is  concurrent  zero- knowledge  if  for  every  concurrent  adversarial  verifier  V*  (i.e.,  any  m-session 
concurrent  adversarial  verifier  for  any  polynomial  m),  there  exists  a  PPT  simulator  S  such  that 
following  two  ensembles  are  computationally  indistinguishable  over  n  G  N. 

•  {Viewy*  (P(w),V*(z))  (ln!^)}neAr!3,eLn{o)l}p°iy(™),we7ei(3;),2e{0,l}poly(n) 

•  {^(1  n,x,z)}neN!  seLn{o,i}poly(n),'we7eL(a;)ye{o,i}poly(n) 

2.8  Forward  Secure  PRG 

Roughly  speaking,  a  forward- secure  pseudorandom  generator  (PRG)  (first  formalized  by  [BY03], 
but  early  usages  go  back  to  [BH92])  is  a  pseudorandom  generator  where  the  seed  is  periodi¬ 
cally  updated- -thus  we  have  a  sequence  of  seeds  si,  S2,  ■  ■  ■  generating  a  pseudorandom  sequence 
qi,  q2,  ■  •  • — such  that  if  the  seed  st  is  exposed  (and  thus  the  “later”  sequence  qt+i,  qt+ 2, ...  is  also 
exposed),  the  “earlier”  sequence  qi, ...  ,qt  still  remains  pseudorandom. 

We  provide  a  simple  definition  of  a  forward  secure  pseudorandom  generator,  where  the  “expo¬ 
sure”  time  t  is  statically  selected.8 

Definition  8  (Forward-secure  Pseudorandom  Generator).  We  say  that  a  polynomial-time  com¬ 
putable  function  G  is  a  forward  secure  Pseudo-Random  Generator  (fsPRG)  if  on  input  a  string 
s,  and  i  e  N,  it  outputs  two  sequences  (si,  S2,  ■  ■  ■  sg)  and  (gi,  q2,  ■  ■  • ,  qi)  such  that  the  following 
properties  hold: 

•  Consistency:  For  every  n,£  £  N,  s  G  {0,  l}n,  the  following  holds 

-  if  G{s,£)  =  ((si,  s),  (gi,  q)),  then  G{s1}£-  1)  =  (s,q). 

•  Forward  Security:  For  every  polynomial  p,  the  following  ensembles  are  computationally  in¬ 
distinguishable 

-  {s  Un,(s,q)  <—  G(s,£)  :  st,q<t}neN,ee\p(n)],te[e\ 

~  {st  Un,q  (Un)  :  st,  q<t}neN/e\p(n)],te{e\ 

where  Un  is  the  uniform  distribution  over  {0, 1}"  and  q<t  =  (gi, . . . ,  qt). 

Any  (traditional)  PRG  implies  the  existence  of  a  forward  secure  PRG;  thus  by  the  result  of 
[HILL99]  the  existence  of  forward  secure  PRGs  are  implied  by  the  existence  of  one-way  functions. 

In  our  application  of  forward  secure  PRGs,  we  will  use  the  outputs  of  the  PRG  in  reverse 
order,  and  thus  write  G(s,  £)  =  (s£,  sg- 1, . . .  si),  (qg,  qg-i, . . . ,  gi).  As  a  consequence,  we  may  reveal 
a  seed  st  “explaining”  the  “earlier”  sequence  ((st_i, . . .  si),  (qt- 1, . . . ,  gi))  while  guaranteeing  that 
the  “later”  sequence  (qg, .  ■  .qt)  still  is  indistinguishable  from  random. 

8The  definition  of  [BY03]  allows  an  attacker  to  adaptively  select  the  exposure  time  t.  For  our  purposes  the  simpler 
non-adaptive  notion  suffices. 
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3  P-certificates 


In  this  section  we  define  the  notion  of  P-certificates.  On  a  high-level,  P-certificates  can  be  viewed 
as  an  analogue  of  Micali’s  CS-proofs  [MicOO],  but  where  we  restrict  to  languages  in  P.  As  we  shall 
see,  by  restricting  to  languages  in  P,  we  can  make  the  soundness  condition  of  (a  restricted  class 
of)  P-certificates  falsifiable. 

Roughly  speaking,  we  say  that  ( P ,  V)  is  a  P -certificate  system  if  (P,  V)  is  a  non-interactive  proof 
system  (i.e.,  the  prover  send  a  single  message  to  the  verifier,  who  either  accepts  or  rejects)  allowing 
an  efficient  prover  to  convince  the  verifier  of  the  validity  of  any  deterministic  polynomial-time 
computation  M(x)  =  y  using  a  “certificate”  of  some  fixed  polynomial  length  (independent  of  the 
size  and  the  running-time  of  M)  whose  validity  the  verifier  can  check  in  some  fixed  polynomial  time 
(independent  of  the  running-time  of  M);  that  is,  any  deterministic  polynomial-time  computation 
can  be  certified  using  a  “short”  certificate  that  can  be  “quickly”  verified. 

To  formalize  this,  we  consider  the  following  canonical  languages  for  P:  for  every  constant  c  G  N, 
let  Lc  =  {( M,x,y )  :  M(x)  =  y  within  \x\c  steps}.  Let  Tm(x )  denotes  the  running  time  of  M  on 
input  x. 

Definition  9.  A  pair  of  probabilistic  interactive  Turing  machines,  (PCert5  Fcert);  is  a  P -certificate 
system  if  there  exist  polynomials  gp,gv,£  such  that  the  following  holds: 

•  Efficient  Verification:  On  input  c  >  1,  lk  and  a  statement  q  =  (Af,  x,  y)  G  Lc.  and  7 r  G  {0, 1}*, 
Rcert  runs  in  time  at  most  gv[k  +  \q\); 

•  Completeness  by  a  Relatively  Efficient  Prover.  For  every  c,d  G  N,  there  exists  a  negligible 
function  ft  such  that  for  every  k  G  N  and  every  q  =  ( M,x,y )  G  Lc  such  that  \q\  <  kd, 

Pr[7T  <—  PCert(c,  lk ,  q)  :  Vrcert(c,  lk ,  q,  7r)  =  1]  >  1  -  g{k) 

Furthermore,  Pcert  on  input  (c,  1  k,q)  outputs  a  certificate  of  length  t{k)  in  time  bounded  by 
gp(k  +  \M\  +  Tm{x)). 

•  Soundness:  For  every  c  G  N,  and  every  PPT  P* .  there  exists  a  negligible  function  //  such 
that  for  every  k  G  N, 

Pr[(g,7r)  4-  P*(c,  lk)  :  Pcert(c,  1A',  q,  ir)  =  1  A  q  0  Lc\  <  g(k) 

We  also  consider  a  stronger  soundness  condition  stipulating  that  soundness  holds  even  if  the  at¬ 
tacker  selects  a  slightly  super-polynomial-size  statement  and  specifies  some  slightly  super-polynomial 
runtime. 

•  Strong  Soundness :  There  exists  some  “nice”  super-polynomial  function9  T(k)  G  and 

some  “nice”  super-constant  function10  C(-)  G  w(l)  such  that  for  every  probabilistic  algorithm 
P*  with  running-time  bounded  by  T(-),  there  exists  a  negligible  function  //,  such  that,  for 
every  k  G  N,  c<  C{k) 

Pr[(c,  q,  7r)  g-  P*(lk)  :  Pcert(c,  lk ,  q,  7r)  =  1  A  q  <£  Lc]  <  g(k) 

9 For  instance,  T(n)  =  nlogloglog?l. 

1()For  instance,  C(k )  =  log  log  log  n. 
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We  say  that  (Pcert,  Kert)  is  a  statistically- sound  P -certificate  system  (resp.  statistically  sound  strong 
P -certificate  system  if  the  soundness  condition  holds  also  against  (unbounded)  P*  with  polynomially- 
bounded  (resp.  T(-)-bounded)  output. 

Remark  1.  The  reason  that  we  do  not  consider  a  notion  of  computational  soundness  with  respect  to 
non-uniform  polynomial-time  attackers  is  that  such  a  notion  is  equivalent  to  statistical  soundness: 
if  an  accepting  proof  of  a  false  statement  exists,  a  non-uniform  efficient  attacker  can  simply  get 
it  as  non-uniform  advice.  Nevertheless,  it  still  makes  sense  to  consider  a  notion  of  o(-)-bounded- 
non-uniform  soundness,  where  soundness  holds  for  attacker  that  on  input  the  security  parameter 
lk  additionally  receive  a(k)  bits  of  non-uniform  advice.  Our  results  regarding  uniform  soundness 
directly  extend  also  to  the  regime  of  bounded  non-uniform  soundness. 

As  we  shall  see  shortly,  a  candidate  construction  of  a  (computationally-sound)  P-certificate 
systems  comes  from  Micali’s  CS-proofs  [MicOO] .  We  also  note  that  the  assumption  that  statistically- 
sound  strong  P-certificates  exists  is  implied  by  the  assumption  that  1)  DTIMEfnP W)  C  NP  and 
2)  NP  proofs  for  statements  in  DTIMEff)  can  be  found  in  time  polynomial  in  t  [BLV06].  (In 
essence,  the  assumption  says  that  non-determinism  can  slightly  speed-up  computation,  and  that 
the  non-deterministic  choices  can  be  found  efficiently,  where  efficiency  is  measured  in  terms  of  the 
original  deterministic  computation.) 

3.1  Time-Representation  Invariant  P-certificates 

At  first  sight  it  may  seem  that  since  we  consider  only  languages  in  P,  the  sound  (resp.,  strongly 
soundness)  condition  of  P-certificates  is  falsifiable  [Pop63,  Nao03]:  we  should  be  able  to  efficiently 
test  if  an  attacker  outputs  a  valid  proof  of  an  incorrect  statement,  since  whether  a  statement  is 
correct  or  not  can  be  checked  in  deterministic  polynomial  time. 

This  intuition  is  somewhat  misleading:  recall  that  soundness  needs  to  hold  for  all  polynomial¬ 
time  computations,  where  the  time-bound  nc  may  be  selected  by  the  attacker  trying  to  break 
soundness.  Since  there  is  no  a-priori  constant  bound  on  c,  the  attacker  may  make  the  test  (checking 
whether  soundness  was  broken)  run  in  super-polynomial-time  (by  selecting  a  large  c.)  The  situation 
is  even  worse  for  the  case  of  strongly  sound  P-certificates. 

At  first  one  may  think  that  this  issue  can  be  easily  resolved  by  restricting  to  certificate  systems 
where  the  prover  is  asked  to  provide  an  upper-bound  on  the  running-time  of  M  in  unary;  this 
certainly  makes  the  soundness  condition  falsifiable,  but  such  certificates  are  no  longer  “short”.  We 
overcome  this  issue  by  allowing  for  a  more  flexible  representation  of  (upper-bound  on)  the  running¬ 
time  of  M ,  and  restrict  to  time-representation  invariant  P-certificates — namely  proof  systems  where 
whether  the  verifier  accepts  a  proof  of  a  statement  x  does  not  depend  on  how  the  time-bound  is 
represented.  For  a  time-invariant  P-certificate,  it  suffices  to  define  soundness  in  the  case  that  the 
attacker  specifies  the  running-time  bound  in  unary;  by  the  time-representation  invariance  condition, 
this  implies  soundness  also  for  other  (more  efficient)  representations. 

Towards  this,  we  consider  an  alternative  variant  of  canonical  languages  in  P:  for  every  constant 
c£JV,  let  L'c  =  {( M ,  x,  y,  1”)  :  M ( x )  =  y  within  nc  steps}. 

Definition  10.  A  pair  of  probabilistic  interactive  Turing  machines,  (Pcert,  hcert);  is  a  time-representation 
invariant  P-certificate  system  if  there  exist  polynomials  gp,gv,(-  such  that  the  following  holds: 

•  Efficient  Verification:  On  input  c  >  1,  lk  and  a  statement  q  =  (M,  x,y,  1”)  £  L'c ,  and 
7 r  £  {0, 1}*,  I4ert  runs  in  at  most  gv(k  +  \q\)  time. 
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•  Time-Representation  Invariant  Verification:  There  exists  a  negligible  function  g  such  that 
every  c,  c,  n,  n,  such  that  nc  =  nc ,  every  k  G  IV  and  every  (M,  x,  y )  G  {0, 1}*  and  every 
certificate  7r  G  {0, 1}*, 

|  Pr[14ert(c,  lfc,  (M,x,y,  ln),vr)  =  1]  -  Pr[Fcert(c,  lfc,  (M,x,y,  ln),7r)  =  1]|  <  //(&) 

•  Completeness  by  a  Relatively  Efficient  Proven.  For  every  c,d  G  N,  there  exists  a  negligible 
function  g  such  that  for  every  k  G  N  and  every  q  =  ( M,x,y ,  ln)  G  such  that  \q\  <  kd, 

Pr[7T  G-  PCert(c,  lk ,  q)  \  Wert(c,  lfc ,  <?,  7r)  =  1]  >  1  -  g{k) 

Furthermore,  Pcen  on  input  (c,  lk,q)  outputs  a  certificate  of  length  at  most  £(k)  in  time 
bounded  by  gp(k  +  \M\  +  nc). 

•  Soundness  for  Lfi.  For  every  PPT  P* ,  there  exists  a  negligible  function  g  such  that  for  every 
k  G  N, 

Pr[(g,7r)  <—  P*(lk)  :  Vcen{l,lk  ,q,n)  =  1  A  q  £  L\]  <  g(k) 

We  say  that  (-PCert>  Wert)  is  a  strong  time-representation  invariant  P -certificate  system  if  there 
exists  some  “nice”  T{k )  G  kP^  such  that  the  soundness  for  L condition  holds  with  respect 
to  all  probabilistic  algorithms  with  running-time  bounded  by  T(-).  We  say  that  (Pcert,  Kert)  is 
a  statistically- sound  time-representation  invariant  P -certificate  system  (resp.  statistically  sound 
strong  time-representation  invariant  P -certificate  system )  if  the  soundness  for  L \  condition  holds 
also  against  (unbounded)  P*  with  polynomially-bounded  (resp.  T(-)-bounded)  output. 

Note  that  the  soundness  condition  of  time-representation  invariant  P-certificates  is  clearly  fal- 
sifiable  since  checking  whether  the  attacker  actually  outputs  a  statement  q  L\  can  be  done  in 
linear-time  in  the  length  of  the  statement,  and  verification  of  a  certificate  n  for  a  statement  q  can 
be  done  in  polynomial-time  by  definition. 

Let  us  briefly  outline  a  candidate  construction  of  time-representation  invariant  P-certificates 
(where  both  Pcert  and  Wert  are  deterministic). 

A  Candidate  Construction  Based  on  CS-proofs.  Micali’s  CS  proofs  [MicOO]  are  obtained  by 
first  constructing  a  public-coin  Around  interactive  argument  for  NEXP  (similar  to  the  “succinct” 
Around  interactive  argument  for  NP  of  [Kil95])  and  then  eliminating  interaction  through  the  Fiat- 
Sharnir  paradigm  [FS90]:  that  is,  the  verifier’s  random  message  are  generated  by  applying  a  random 
oracle  to  the  prover’s  messages,  and  next  the  random  oracle  may  be  instantiated  with  a  concrete 
family  of  hash  function  {hk}k&N-  More  precisely,  CS  proofs  are  used  to  prove  membership  of  the 
CS  language  Lqs  with  witness  relation  Rqs  as  defined  in  [MicOO].  A  quadruple  ( M,x,y,t )  G  Lcs 
iff  the  lengths  of  x  and  y  are  smaller  than  t  and  M(x)  =  y  in  t  steps.  Roughly  speaking,  to  prove 
a  statement  q  =  (. M,x,y,t ),  the  prover,  on  input  a  security  parameter  lk,  proceeds  in  two  steps. 
In  the  first  step,  it  constructs  a  PCP  (Probabilistically  Checkable  Proof)  [BFLS91,  FGL+91]  proof 
7 t'  for  q  and  computes  a  Merkle’s  hash  tree  [Mer89]  with  fi  as  the  leaves  using  a  hash  function 
hk,  producing  a  root  r.  Then,  in  the  second  step,  it  computes  a  polylogarithmic  number  l  of  PCP 
queries,  determined  by  the  hash  value  hk(r );  for  each  PCP  query  i,  it  finds  the  authentication 
path  aj.  that  reveals  the  corresponding  PCP  answer  bj.  Finally,  the  prover  sends  a  CS  proof 
7T  =  t||r||&i||aj||  •  •  •  ||6j||a/.  The  verifier,  on  input  a  statement  x  and  such  a  proof  7 r,  checks  whether 
all  the  authentication  paths  are  accepting  w.r.t.  r,  recomputes  the  PCP  queries  using  hk{r)  and 
checks  whether  all  the  PCP  answers  are  accepting. 
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In  our  language  L'c,  recall  that  a  statement  is  of  form  q  =  (. M,x,y ,  1”).  The  prover  and  the 
verifier  on  input  c,  lk  and  q  can  thus  recover  a  time  bound  t  by  computing  nc  and  then  recover 
the  corresponding  CS  language  instance  ( M,x,y,t ),  and  next  simply  runs  the  prover  and  verifier 
algorithms  of  CS-proofs.  By  construction  it  follows  that  the  above  construction  satisfies  prover’s 
relative  efficiency  and  completeness.  Additionally,  since  the  verification  procedure  only  depends  on 
the  time  bound  t  =  nc,  and  not  on  the  values  of  n  and  c,  the  verification  procedure  also  has  the 
time-representation  invariance  property. 

Finally,  in  our  eyes,  assuming  that  the  above  construction  satisfies  the  soundness  condition  of 
time-representation  invariant  P-certificates  is  a  reasonable  and  “well-behaved”  complexity  theoretic 
assumption:  on  a  qualitatively  level,  the  assumption  is  not  very  different  from  the  assumption 
that  e.g.,  the  Full  Domain  Hash  [BR93]  or  Schnorr  [Sch91]  signature  schemes  are  existentially 
unforgeable:  1)  whether  an  attacker  succeeds  can  be  efficiently  checked,  2)  no  attacks  are  currently 
known,  and  3)  the  “design-principles”  underlying  the  constructions  rely  on  similar  intuitions  (e.g., 
that  instantiating  random-oracles  with  hash  functions  in  “natural”  schemes  lead  to  secure  protocol). 

From  Time-Representation  Invariant  P-certificates  to  P-certificates  As  we  now  show, 
time-representation  invariant  P-certificates  imply  P-certificates. 

Theorem  1.  Assume  the  existence  of  a  time-representation  invariant  P -certificate  system  (resp. 
a  strong  time-representation  invariant  P -certificate  system)  (P).en,Vfen) .  Then,  there  exists  a  P- 
certificate  system  (resp.  a  strong  P -certificate  system)  (Pcert,  Uert)-  Furthermore  if  (P(en,Vfen)  is 
statistically  sound  (resp.  statistically  strong  sound),  then  (Pcen,  Icert)  is  so  as  well. 

Proof.  Let  (P(e rt,  Vfert)  be  a  time- representation  invariant  P-certificate  system.  Consider  a  P- 
certificate  system  (PCert>  Vcert)  where  Pcert  and  Ucert  simply  runs  P(e rt  and  V(ert  respectively  with  n 
fixed  to  the  length  of  the  input  x.  More  precisely,  PCert  on  input  c,  lk  and  a  statement  q  =  (M,  x,  y)  G 
Lc,  lets  <{  =  (M,  x,  y,  l^l)  G  L'c,  runs  P(en(c,  l/c,  qr)  and  outputs  whatever  P(ert  outputs.;  Uert  on 
input  (c,  lk,  q,  7 r)  computes  q'  in  exactly  the  same  way,  runs  Uc'ert (c,  1  k,q' ,  7 r)  and  outputs  the  verdict 
of  Vfert .  It  follows  from  the  relative  prover  efficiency  and  completeness  properties  of  (Pcert)  Kert) 
that  (Pcert)  Uert)  also  satisfies  relative  prover  efficiency  and  completeness.  Let  us  turn  to  soundness. 
We  only  prove  the  case  of  strong  soundness  (assuming  that  (Pcert)  Ucert)  is  strongly  sound),  all  the 
other  cases  follow  analogously. 

Assume  for  contradiction  that  for  every  T(k)  G  kP^  and  C(k)  G  cu(l),  there  exists  a  T(fc)-time 
cheating  prover  A,  and  a  polynomial  p  such  that  for  infinitely  many  k  G  N  and  <  C(k),  it 
holds  that  the  probability  that  A(lk)  outputs  q,,  a  false  statement  q  =  ( M,x,y )  fL  LCk  and  a 
certificate  7r  for  q  G  LCk  that  is  accepted  by  Ucert  (that  is,  Ucert(cfc ,  lk,q,ir)  =  1)  is  at  least  1  /p(k). 
Fix  some  arbitrary  function  T'(k )  G  fcU1) .  Let  T(k)  G  and  C[k )  G  w(l)  be  two  functions 

such  that  T(k)c (fc)  <  T'{k).  By  our  assumption,  there  exists  a  cheating  prover  A  that  violates  the 
strong  soundness  property  of  (Pcen,  Kert)  w.r.t.  the  functions  T(k )  and  C(k)  with  some  polynomial 
probability  l/p(k).  Using  A,  we  construct  another  cheating  prover  A'  that  violates  the  strong 
soundness  for  L(  of  (P(en,  UCert)  w-r-t.  function  T'(k)  with  the  same  probability  l/p(k).  Machine  A' 
on  input  lfc  simply  runs  A(lk)  to  obtain  c^,  q  =  ( M,x,  y )  and  7 r;  it  then  sets  n  =  |x|Cfc  and  outputs 
q'  =  ( M,x,y ,  ln)  and  7 r.  Clearly,  A'  runs  in  time  T(k)c ^  <  T'(k).  By  construction  of  Ucert)  the 
probability  that  UCert(cA;,  lfc,  q,  7r)  =  1  is  the  same  as  the  probability  that  Ucert  (cfc)  Q,  7r)  =  1,  where 
q  =  (M,  x,  y,  l^l).  Furthermore,  by  the  time-representation-invariance  of  V(ert,  the  probability  that 
UCert (cfc)  lfc,  <Z)  tt)  =  1  is  negligibly  close  to  the  probability  that  Vfen(l,lk,q' ,n)  =  1.  It  follows 
that  A ’  (whose  running-time  is  bounded  by  T'(k ))  outputs  accepting  proofs  of  false  statements 
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with  probability  negligibly  close  to  for  infinitely  many  k  E  N.  Since  the  above  holds  for  any 
function  T\k ),  we  have  that  (P^ert,  V^ert)  is  not  strongly  sound  for  L[,  which  is  a  contradiction.  □ 

4  Constant-round  Concurrent  ZJC 

In  this  section,  we  present  our  construction  of  a  constant-round  concurrent  ZIC  protocol.  To 
simplify  the  exposition  (and  following  the  description  in  the  introduction),  as  a  warm-up,  we  first 
present  a  protocol  that  only  uses  one  level  of  P-certificates  and  thus  only  handles  a  bounded 
number,  0(m(n)),  of  concurrent  executions;  we  refer  to  this  protocol  as  “Protocol  1”.  We  then 
generalize  Protocol  1  and  describe  a  protocol  that  uses  k  levels  of  certificates  and  can  handle  0(nk) 
concurrent  executions;  we  refer  to  this  protocol  as  “Protocol  kv .  By  setting  k  to  be  super-constant, 
say,  k  =  logra,  we  obtain  a  (fully)  concurrent  ZIC  protocol. 

4.1  Protocol  1 

We  proceed  to  describe  Protocol  1,  (Pi,  Pi),  which  we  prove  is  m-bounded  concurrent  zero-knowledge 
The  protocol  relies  on  the  following  primitives: 

•  A  commitment  scheme  com:  for  simplicity  of  presentation,  we  assume  that  com  is  a  non¬ 
interactive  commitment  scheme,  but  the  protocol  can  be  modified  in  a  straight-forward  way 
to  work  for  any  two-message  commitment  scheme  (as  in  [Nao91]). 

•  A  strong  P-certificate  system  (Pcert,  Pcert)  with  parameter  T(-)  and  C(-),  where  T(-)  is  a 
“nice”  super-polynomial  function  and  C(-)  is  a  “nice”  super-constant  function:  for,  simplicity 
of  exposition,  we  assume  that  both  Pcert  and  Pert  are  deterministic.  We  discuss  in  Section 
4.3  how  to  modify  the  protocol  to  also  handle  randomized  P-certificate  systems. 

•  A  family  of  hash  functions  {T-Ln}  :  to  simplify  the  exposition,  we  here  assume  that  both 
com  and  {Pn}n  are  collision  resistant  against  circuits  of  size  T'(-),  where  T’(-)  is  “nice” 
super-polynomial  function.  As  in  [BG02],  this  assumption  can  be  weakened  to  just  collision 
resistance  against  polynomial-size  circuits  by  modifying  the  protocol  to  use  a  “good”  error- 
correcting  code  ECC  (i.e.,  with  constant  distance  and  with  polynomial-time  encoding  and 
decoding),  and  replace  commitments  com (/*•(•))  with  com(/i(ECC(-))). 

Let  us  now  turn  to  specifying  the  protocol  (Pi,  Vi).  The  protocol  makes  use  of  three  parameters: 
m(-)  is  a  polynomial  that  upper  bounds  the  number  of  concurrent  sessions;  T(-)  is  a  “nice”  super¬ 
polynomial  function  such  that  T(n),T/(n)  E  T(n)“;^1\  and  D(-)  is  a  “nice”  super-constant  function 
such  that  D(n)  <  C(n).  Let  m  =  m(n),  T  =  T(n)  and  D  =  D(n).  In  the  description  below,  when 
discussing  P-certificates,  we  always  consider  the  language  Lp. 

The  prover  Pi  and  the  verifier  Vi,  on  common  input  ln  and  x  and  private  input  a  witness  w  to 
Pi,  proceed  as  follow: 

Phase  1:  Pi  and  Vi  exchanges  the  following  three  messages. 

1.  Vi  chooses  a  randomly  sampled  hash  function  h  l~Ln. 

2.  Pi  sends  a  commitment  to  0n  using  com. 

3.  Vi  replies  with  a  random  “challenge”  r  of  length  3 mn. 

Phase  2:  Pi  gives  a  WIUA  argument  of  the  statement  that  either  x  E  L  OR  there  exists  Si  E 
{0,  l}r^n\  j  E  [ra],  s  E  {0,  l}n,  7 r  E  {0,  l}n,  o  E  {0,  l}r*-n\  p,  such  that 
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1.  Commitment  Consistency:  c  =  com(/i(<Si);  p)-? 

2.  Input  Certification:  \a\  <  2 mn, 

3.  Prediction  Correctness:  ir  certifies  that  S\(ln,j,s,a)  =  r. 
A  formal  description  of  the  protocol  can  be  found  in  Figure  4  and  5. 


Protocol  1 

Common  Input:  A  security  parameter  1"  in  unary  and  an  instance  £  of  a  language  L  £  NP  with 
witness  relation  R^. 

Parameters:  m  =  m(n)  is  an  upper  bound  on  the  number  of  concurrent  sessions.  P  =  T(?r)  and 
D  =  D(n)  are  respectively  upper  bounds  on  the  size  of  the  committed  program  and  the  time 
bound. 

Phase  1: 

V\  — >  P\ :  Send  h  «—  T-Ln . 

P\  — >  F  :  Send  c  =  com(0”;  p). 

Vi  -►  Pi.  Send  r  {0,  l}3mn. 

Phase  2: 

P\  V| :  A  WIU A  (Pua,  Vua)  proving  the  OR  of  the  following  statements: 

1.  3  w  £  {0,  l}poly(N)  s.t.  R l{x,w)  =  1. 

2.  3  (Si,j,s,TT,a,  p)  s.t.  R s((h,c,r) ,  (Slt  j,s,Tr,a,p))  =  1. 


Figure  4:  A  public-coin  non-black-box  bounded  concurrent  zero-knowledge  protocol. 


Instance:  A  triplet  (h,c,r)  £  Tin  x  {0,  i}poly(”)  x  |05 1}'5"”’. 

Witness:  (Si,j,  s ,  n,  a,  p):  A  program  S  £  {0,  l}r,  an  integer  j  €  [m],  a  seed  s  £  {0, 1}”,  a  P-certificate 
7 r  £  {0, 1} " ,  a  string  a  £  {0,  l}r,  a  randomness  p  £  {0,  l}n. 

Relation:  R s((h,  c,  r) ,  ( S\,j ,  s,  7 r,  ct,  p))  =  1  if  and  only  if: 

1.  Commitment  Consistency:  c  =  com(h(S'i); p), 

2.  Input  Certification:  |<r|  <  2 mn, 

3.  Prediction  Correctness:  V:ert(-D,  ln,  (Si,  (lra,  j,  s,  a),  r),  n)  =  1  (i.e. ,  7r  certifies  that 
Si(ln,j,s,a)  =  r). 


Figure  5:  Rg,  a  relation  that  Protocol  1  uses  in  WIU  A  of  Phase  2. 


Our  Simulator.  As  explained  in  the  introduction,  the  goal  of  our  simulator  is  to  try  to  “commit 
to  its  own  code”  in  a  way  that  prevents  a  blow-up  in  the  running-time.  Note  that  in  our  protocol, 
the  only  expensive  part  of  the  generation  of  the  WIU  A  is  the  generation  of  the  P-certificates  7r;  the 
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rest  of  the  computation  has  a-priori  bounded  complexity  (depending  only  on  the  size  and  running- 
time  of  V*).  To  take  advantage  of  this  observation,  we  thus  have  the  simulator  only  commit  to  a 
program  that  generates  prover  messages  (in  identically  the  same  way  as  the  actual  simulator),  but 
getting  certificates  if  as  input. 

In  more  detail,  to  describe  the  actual  simulator  S,  let  us  first  describe  two  “helper”  simula¬ 
tors  S  1,52.  Roughly  speaking,  Si  is  an  interactive  machine  that  simulates  prover  messages  in  a 
“right”  interaction  with  V* .  Additionally,  Si  is  expecting  some  “external”  messages  on  the  “left”; 
these  “left”  messages  will  be  certificates  provided  by  S2.  See  Figure  1  in  the  introduction  for  an 
illustration  of  the  communication  patterns  between  Si ,  S2  and  V* . 

Let  us  turn  to  a  formal  description  of  the  Si  and  S2.  To  simplihy  the  exposition,  we  assume 
w.l.o.g  that  V*  has  its  non-uniform  advice  2:  hard-coded,  and  is  deterministic  (as  it  can  always  get 
its  random  tape  as  non-uniform  advice). 

On  a  high-level,  Si(ln,  x,  M,  s,  £)  acts  as  a  prover  in  a  “right”  interaction,  communicating  with 
a  concurrent  verifier  V*.  while  receiving  some  additional  “external”  messages  on  the  “left”.  (The 
input  x  is  the  statement  to  be  proved,  the  input  M  will  later  be  instantiated  with  the  code  of  Si, 
and  the  input  ( s,£ )  is  used  to  generate  the  randomness  for  Si;  s  is  the  seed  for  the  forward  secure 
pseudorandom  generator  g ,  and  £  is  the  number  of  n-bit  long  blocks  to  be  generated  using  g.)  A 
communication  round  in  the  “right”  interaction  with  V*  refers  to  a  verifier  message  (sent  by  V*) 
followed  by  a  prover  message  (sent  by  Si). 

Let  us  now  specify  how  Si  generates  prover  messages  in  its  “right”  interaction  with  V*. 
Si(ln,  x,  M,  s,  £)  acts  as  follows: 

•  Upon  invocation,  Si  generates  its  “random-tape”  by  expanding  the  seed  s;  more  specifically, 
let  (s£,  s^_i, . . .  si),  (q£,  qg-i,  ■  ■  . ,  qi)  be  the  output  of  g(s,£).  We  assume  without  loss  of 
generality  that  Si  only  needs  n  bits  of  randomness  of  generate  any  prover  message  (it  can 
always  expand  these  n  bits  into  a  longer  sequence  using  a  PRG);  in  order  to  generate  its  j’th 
prover  message,  it  uses  qj  as  randomness. 

•  Upon  receiving  a  hash  function  hi  in  session  i  during  the  j-th  communication  round,  Si  pro¬ 
vides  a  commitment  c*  to  (the  hash  of)  the  program  Si(ln,  j,  s',  r)  =  wrap(M(ln,x,M,s',j), 
V*,r,j),  where  wrap(A,  B,  r,j)  is  the  program  that  lets  A  communicate  with  B  for  j  rounds, 
while  allowing  A  to  receive  r  as  external  messages,  and  finally  outputting  R’s  message  in  the 
j’th  communication  round.  (That  is,  Si(l", j,  s' ,  r)  emulates  j  rounds  of  an  execution  between 
Si  and  V*  where  Si  expands  out  the  seed  s'  into  j  blocks  of  randomness  and  additionally 
receives  r  as  external  messages.) 

•  Upon  receiving  a  challenge  r*  in  session  i  during  the  j’th  communication  round,  Si  needs 
to  provide  a  WIUA.  To  do  so,  it  checks  whether  it  was  received  an  external  message  (j, iij), 
and  if  so,  it  uses  the  certificate  ttj  to  complete  the  WIUA  (and  otherwise  halts).  More  pre¬ 
cisely,  Si  provides  an  honest  WIUA  that  c*  is  a  commitment  to  Si  and  that  nj  certifies  that 
Sj(ln,  j,  Sj,  t)  =  r*  where  r  is  list  of  external  messages  received  by  Si  so  far.  (Note  that 
since  we  only  require  Si  to  generate  the  j’th  verifier  message,  giving  him  the  seed  (sj,  j)  as 
input  suffices  to  generate  all  prover  messages  in  rounds  j'  <  j.  It  follows  from  the  consistency 
requirement  of  the  forward  secure  PRG  that  Si  using  (sj,  j)  as  seed  will  generate  the  exact 
same  random  sequence  for  the  j  —  1  first  blocks  as  if  running  Si  using  (s,£)  as  seed.) 

S2(ln,  x,  M,  s,  £)  internally  emulates  £  messages  of  an  execution  between  Si(ln,  x,  M,  s,  £)  and 
V*.  In  each  communication  round  j,  after  V*  generates  a  verifier  message  rrij ,  S2  generates  a 
certificate  ttj  (using  PCert)  that  Sj(ln,  j,  Sj,  a)  =  m.j,  where  a  is  the  list  of  external  messages 
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received  by  Si  so  far,  and  feeds  (j,  Tij)  to  S\.  Finally,  S2  outputs  its  view  (which  in  particular, 
contains  the  view  of  V*)  at  the  end  of  the  execution. 

The  final  simulator  S(ln,x)  simply  runs  S2(ln,x,  S\,  s,T(n  +  |x|)),  where  s  is  a  uniformly 
random  string  of  length  n  and  T(n  +  |a;|)  is  a  polynomial  upper-bound  on  the  number  of  messages 
sent  by  V*  given  the  common  input  ln,  x,  and  extracts  out,  and  outputs,  the  view  of  V*  from  the 
output  of  S'2. 

Running-time  of  S.  Let  us  first  argue  that  S 1  runs  in  polynomial  time.  Clearly  it  only  takes 
Si  polynomial-time  to  generate  the  commitments  in  Phase  1  (since  V*  has  a  polynomial-length 
description,  and  thus  also  the  code  of  Si).  During  the  WIUA  in  Phase  2,  the  length  of  the  witness 
used  by  the  simulator  is  polynomial  in  length  of  the  description  of  Si  and  the  length  of  the  certificate 
7r  used  by  Si;  both  are  of  polynomial  length.  Since  the  P-certificates  verification  time  is  polynomial 
in  the  length  of  the  statement  proved,  it  follows  that  the  relation  being  proved  in  the  WIUA  has  a 
time  complexity  that  is  upper  bounded  by  a  fixed  polynomial  in  the  length  of  V* .  By  the  relative 
prover  efficiency  condition  of  the  WIUA,  each  such  proof  only  requires  some  fixed  polynomial-time, 
and  thus  the  whole  execution  of  Si  takes  some  fixed  polynomial  time  (in  the  length  of  V*  and  thus 
also  in  the  length  of  x.)  It  directly  follows  that  also  Si’s  running-time  is  polynomially  bounded. 

Finally,  since  S2  is  simply  providing  certificates  about  the  execution  of  Si,  it  follows  by  the 
relative  prover  efficiency  condition  of  P-certificates,  that  S2  runs  in  polynomial  time,  and  thus  also 
S. 

Indistinguishability  of  the  simulation  Assume  that  there  exists  a  cheating  verifier  V*,  a 
distinguisher  D  and  a  polynomial  p  such  that  the  real  view  and  the  simulated  view  of  V*  can  be 
distinguished  by  D  with  probability  yy^y  for  infinitely  many  n.  More  formally,  for  infinitely  many 

n£JV,.'c6Ln{0,  l}poly(n),  w  G  Rl(x)  and  z  G  {0,  l}Poly(n);  it  holds  that 

|Pr[£>(Viewv.  < P(w),V*(z ))  (l'\*))  =  1]  -  Pr[D(S(P\  x,  z))  =  1]|  > 

p(n) 

Consider  a  hybrid  experiment  Real y*(n,x,z)  that  proceeds  just  as  the  real  experiment  except 
that  all  phase  1  commitments  are  generated  by  committing  to  the  code  of  Si  (as  done  by  S).  We 
also  denote  by  Realy-*  (n,  x,  z)  the  view  of  the  verifier  V*  in  the  hybrid.  It  follows  by  a  simple  hybrid 
argument  that  there  exists  a  polynomial  p'  such  that  the  view  of  V*  in  the  hybrid  Real7  and  in 
simulation  by  S  can  be  distinguished  by  D  with  probability  y^yy  for  infinitely  many  n.  That  is, 

for  infinitely  many  n£iV,  i6ln{ 0,  l}Poly(n);  w  g  RL(x)  and  z  G  {0,  l}Poly(n),  it  holds  that 

|Pr[D(Realy*  (n,  x,  w,  z)))  =  1]  -  Pr[D(S(ln,  x,  z))  =  1]|  >  — ^  (1) 

Consider  such  n,  x,  z  (and  assume  that  z  is  hard-coded  into  the  description  of  V*),  and  consider 
T  =  T(n+\x\)  hybrid  experiments  (recall  that  T{n+\x\)  is  the  maximum  number  of  communication 
rounds  given  common  input  ln,x).  In  hybrid  Hj ,  the  first  j  communication  rounds  are  simulated 
exactly  as  by  S  (using  pseudo-randomness) ,  but  all  later  communication  round  j'  >  j  are  simulated 
by  S  (and  more  specifically  by  Si)  using  true  randomness  q)  being  uniformly  distributed  in  {0,  l}n; 
additionally,  to  complete  all  WIUA  that  begin  at  or  after  communication  round  j,  Si  uses  the  true 
witness  w  instead  of  the  “fake”  witness  used  by  Si.  (Note  that  once  we  start  using  real  randomness 
is  some  session  i,  it  is  no  longer  clear  whether  simulation  of  “later”  sessions  can  be  completed. 
To  deal  with  this  issue,  we  thus  also  switch  all  WIUA  that  begin  at  or  after  round  j  to  use  a  real 
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witness;  if  some  WIUA  already  began  at  some  communication  round  j'  <  j,  then  the  simulation  of 
this  WIUA  can  still  be  completed.) 

It  follows  by  Equation  1  and  a  hybrid  argument  that  there  exist  some  j  and  a  polynomial 
p"  such  that  D  distinguishes  Hj  and  Hj+ 1  with  probability  p,^nj .  Now,  consider  another  hybrid 

experiment  Hj  that  proceeds  just  at  Hj,  but  where  true  randomness  is  used  in  communication 
round  j  +  1  (but  still  using  the  fake  witness).  It  follows  by  the  forward  security  of  the  PRG  g 
that  the  outputs  of  H]+\  and  Hj  are  indistinguishable — the  reason  we  need  forward  security  is 
that  to  emulate  communication  rounds  j'  <  j,  the  seeds  Sji  may  need  to  be  known  (as  they  are 
used  by  S\  to  provide  WlUA’s).  Indistinguishability  of  Hj  and  Hj  follows  directly  by  the  witness 
indistinguishability  property  of  the  WIUA.  It  thus  leads  to  a  contradiction  and  completes  the  proof 
of  the  indistinguishability  of  the  simulation. 


4.2  Protocol  k 

We  move  on  to  describe  our  actual  concurrent  ZJC  protocol:  Protocol  k,  (P&,  14).  We  refer  the 
reader  to  the  introduction  for  the  ideas  underlying  this  protocol. 

As  with  Protocol  1,  Protocol  k  proceeds  in  two  phases.  In  Phase  1,  the  prover  P*.  and  the 
verifier  14  proceeds  exactly  as  in  Protocol  1  but  the  length  of  the  “challenge”  r  is  modified  to  be 
3 kn2.  Next,  Phase  2  is  modified  as  follows: 


Phase  2:  P ^  gives  a  WIUA  argument  of  the  statement  that  either  x  £  L  OR  there  exists  S\, . . . ,  Sf.  £ 
{0,l}r(ri),  0  <  j  <  nk,  s\...,sk  £  {0,1}",  7r\...,7rk  £  {0,  l}n,  a\...,ak  £  {0,l}rW, 
A1, . . . ,  Xk  £  {0,  l}r*"\  p,  such  that 


1.  Commitment  Consistency:  c  =  com(4(<S'i, . . . ,  S}.);  p), 

2.  Input  Certification: 

(a)  | cx|  <  2 kn2-,  and 

(b)  Let  l*  be  the  largest  l  such  that  j  >  n l~1.  Then  A -l*  =  null  and  for  2  </</*,  irl 
certifies  that  5;(ln,  [j\ni-i,sl,  ([A-^-j^.,^))  =  A*'1. 

3.  Prediction  Correctness:  7T1  certifies  that  S\(ln,j,  s1,  ([A-1]^,  cr-1)))  =  r 


where  [j\x  —  j  —  ( j  mod  x),  and  the  bracket  operator  [-]j  is  defined  as  follows:  The  input 
is  expected  to  be  a  set  of  triples  of  the  form  (/,  l',  7rj,),  and  the  output  is  a  subset  of  these 
obtained  by  removing  elements  with  j'  >  j-  that  is,  we  are  “filtering  out”  all  messages  that 
were  generated  in  communication  round  j  or  later.  Roughly  speaking,  the  bracket  operator 
is  used  to  eliminate  “unnecessary”  inputs  to  the  program.  We  require  this  to  be  able  to  reuse 
P-certificates;  we  provide  a  more  detailed  explanation  of  why  this  is  needed  in  Remark  2, 
after  having  formalized  the  simulator. 


Using  the  notation  from  the  introduction,  the  messages  A  are  “certified”  certificates  (each  compo¬ 
nent  of  A  may  of  an  unbounded  polynomial  length),  and  the  messages  a  are  “dangling”  certificates 
(each  component  of  a,  however,  is  “short”  by  the  input  certification  condition). 

A  formal  description  of  Protocol  k  can  be  found  in  Figure  6  and  7. 

We  will  be  analyzing  ( P U  14)  when  k  =  logn  (but  the  analysis  works  as  long  as  A:  is  a  “nice” 
super-constant,  but  polynomially-bounded,  function).  It  is  easy  to  check  that  the  protocol  is 
complete.  Furthermore,  since  the  honest  prover  Pi-,  on  private  input  a  valid  witness  w  of  the 
statement  x,  always  succeeds  in  the  Phase  2  by  proving  that  x  £  L,  by  the  prover  and  verifier 
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efficiency  conditions  of  WIUA,  both  the  honest  prover  Pp,  and  verifier  V \  run  in  some  fixed  polynomial 
time.  Furthermore  note  that  the  communication  complexity  of  the  protocol  depends  only  on  the 
security  parameter  ln  but  not  the  length  of  the  statement  x;  thus  the  protocol  is  “succinct” . 

We  turn  to  showing  that  (i4,  14)  is  sound  and  concurrent  ZK,  when  k  =  logn. 

Protocol  k 

Common  Input:  A  security  parameter  ln  and  an  instance  x  of  a  language  L  £  NP  with  witness 
relation  Rl. 

Parameters:  m  =  m(n)  is  an  upper  bound  on  the  number  of  concurrent  sessions.  P  =  T(n)  and 
D  =  D(n)  are  respectively  upper  bounds  on  the  size  of  the  committed  program  and  the  time 
bound. 

Phase  1: 

14  — ^  Pk '  Send  h  ( —  kin. 

Pk  — >  14:  Send  c  =  com(0”;  p). 

V4  ->•  Pk-  Send  r  *-  {0,  l}3fer!\ 

Phase  2: 

Pk  <^»  14:  A  WIUA  (Pua,  Vua)  proving  the  OR  of  the  following  statements: 

1.  3  w  £  {0,  i}poly(M)  s HL(x,  w)  =  1. 

2.  3  (S,j,s,n,d,\,p)  s.t.  R s((h,c,r) ,  ( S,j,s,n,a,\,p ))  =  1. 

Figure  6:  A  public-coin  non-black-box  concurrent  zero-knowledge  protocol. 

4.2.1  Soundness  of  Protocol  k 

Lemma  1.  Under  the  above-mentioned  cryptographic  assumptions,  (14,14)  uniformly  sound. 
Additionally,  if  (Pce rt,14ert)  is  a  statistically  strong  P -certificate  system,  then  ( 14,14 )  is  non- 
uniformly  sound. 

Proof.  We  prove  this  lemma  w.r.t.  uniform  soundness  assuming  (PCert,  !4ert)  is  a  strong  P-certificate; 
the  non-uniform  part  of  the  lemma  follows  in  identically  the  same  way. 

Assume  for  contradiction  that  there  is  a  probabilistic  polynomial  time  cheating  prover  P*  and 
a  polynomial  p ,  such  that  for  infinitely  many  n  £  N,  with  probability  l/p(n),  P*  selects  a  false 
statement  x  E  {0,  l}poly(n)  y  p  anc[  convinces  14  of  the  membership  of  x  in  L. 

Fix  one  such  n.  Let  P*  .  be  the  “residual”  deterministic  WIUA  prover  resulting  from  fixing  P*’s 
randomness  to  u  and  feeding  it  the  messages  h  and  r.  Let  E  be  the  “global”  proof-of- knowledge 
extractor  of  the  WIUA.  Note  that  E  runs  in  time  poly(r(n)).  Let  Es  denote  E  with  randomness 
fixed  to  s.  Now,  consider  the  following  experiment  Exp: 

•  Sample  a  tuple  ( u ,  h,  r,  s )  uniformly  at  random. 

p* 

•  Let  (x,c)  <—  Pfhr  and  w'  Esu’h’r,  where  x  is  the  statement  selcted  by  P*hr,  c  is  the 

p* 

commitment  generated  by  P*hr,  and  w'  is  the  witness  extracted  by  Esu,h,r . 
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Instance:  A  triplet  (h,c,r)  €  x  {0,  i}poly(”)  x  |05  l}3fen  . 

Witness:  (S,  j,  s,  j f,  a,  A,  p):  A  sequence  of  programs  S  =  (Si, . . . ,  Sk)  G  {0,  l}fe’r,  an  integer  j  G  [?zfc] , 
a  sequence  of  seeds  s  =  (s1, . . . ,  sk)  €  {0, 1}A",  a  sequence  of  P-certificates  i r  =  (7T1, . . . ,  Tik)  G 
{0,  l}kn,  a  sequence  a  =  {a1, . . . ,  ak)  G  {0,  l}1  r,  a  sequence  A  =  (Ai,...,Afc)  G  {0, 1}A  r,  a 
randomness  p  G  {0,1}". 

Relation:  R s((h,  c,  r) ,  (S,  j ,  s,  if,  a,  A,  p))  =  1  if  and  only  if: 

1.  Commitment  Consistency:  c  =  com(/i(S);  p), 

2.  Input  Certification: 

(a)  \a\  <  2 kn2,  and 

(b)  Let  l*  be  the  largest  l  such  that  j  >  n i_1.  X-1  =  null  and  for  2  <  l  <  l*, 
Vcert(D,ln,(Si,(ln,[j\ni-i,sl,([\-l]\ji  t  l ,  (J-1)),  Ai_1),  7Tl)  =  1  (i.e.,  irl  certifies  that 

3.  Prediction  Correctness:  Vcert(D,  1",  (Si,  (ln,j,  s1,  ([A— 1]_J ,  cr— 1)),  r),  7T1)  =  1  (i.e.,  n  cer¬ 
tifies  that  5i(l”,  j,  s1,  ([A— 1]J-,  cr-1))  =  r). 

where  \j\x  —  j  ~  ( j  mod  x),  and  the  operator  [-]j  is  defined  as  follows:  The  input  is  expected  to 
be  a  set  of  triples  of  the  form  (j',  l',  7rj,),  and  the  output  is  a  subset  of  these  obtained  by  removing 
elements  with  j'  >  j. 


Figure  7:  Rg,  a  relation  that  Protocol  k  uses  in  WIUA  of  Phase  2. 

p*  p 

Let  BAD  denote  the  event  that  Esu’  ,r  extracts  a  valid  “fake”  witness  w'  =  (S,j',sf,Tr',a',X',pl)  G 
R s(h,c,r)  in  the  above  experiment. 

Let  us  first  argue  that  by  our  assumption  (that  P*  breaks  soundness),  BAD  happens  with  non- 
negligible  probability:  By  an  averaging  argument,  with  probability  at  least  1/2 p(n)  over  (■ u ,  h,  r),  the 
statement  x  selected  by  P*hr  is  not  a  member  of  L  and  yet  P*hr  convinces  the  WIUA  verifier  with 
probability  1/2 p(n).  For  each  such  a  tuple  (it,  h,  r),  by  the  “global”  proof-of-knowledge  property  of 

P* 

WIUA,  Esu’  ,r  extracts  a  valid  “fake”  witness  w'  G  R s(h,c,r)  with  some  non-negligible  probability 
1  /q(n)  (over  the  randomness  s ).  It  follows  that  BAD  happens  with  non-negligible  probability. 

We  now  show  that  under  our  cryptographic  assumptions,  BAD  can  only  happen  with  negligible 
probability,  which  is  a  contradiction. 

First,  note  that  by  the  soundness  of  (Pcert,  Lcert)  with  parameters  T(-)  and  C(-),  and  the  fact 

that  T(n)  =  T(n)UJ ^  and  D(n)  <  C(n),  we  have  that  except  with  negligible  probability  over  the 

-»/  P* 

choice  of  ( u,h,r,s ),  whenever  the  P-certificates  pi  that  Es  ,r  extracts  out  are  convincing,  their 
corresponding  statements  are  true;  otherwise,  we  can  construct  a  uniform  poly(r(n))-time  adversary 

P* 

that  samples  u,h,r,s  uniformly  at  random,  runs  Esu’  and  outputs  a  random  certificate  from 
w' .  Additionally,  by  the  binding  property  of  com  and  the  collision-resistant  property  of  T~Ln  it 

follows  that  with  overwhelming  probability  over  ( u,h ),  there  exists  a  vector  of  machines  S*  such 

P* 

that  except  with  negligible  probability  over  the  choice  of  r,  s,  it  holds  that  if  Es ,r  outputs  a 
valid  w'  G  R s(h,c,r),  then  the  machines  S  in  w'  equals  S'*.11  By  a  union  bound  it  follows  that 

11Note  that  for  this  to  hold,  we  here  rely  on  the  fact  that  binding  of  com  and  collision-resistancy  of  1-L„  hold  also  for 
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with  overwhelming  probability  over  ( u,h ),  there  exists  a  vector  of  machines  S*  such  that  except 

P* 

with  negligible  probability  over  the  choice  of  r,  s,  the  following  holds:  a)  if  Es  ,r  outputs  a  valid 

w'  G  R s(h,c,r),  then  the  machines  S  in  w'  equals  S* ,  and  b)  all  accepting  certificates  tt'  prove 
true  statements.  Let  us  refer  to  such  pairs  (u,h)  as  good. 

For  any  valid  “fake”  witness  w'  =  (S,f,  s',  if',  a',  A7,  p')  €  R s(h,c,r)  dehne  a  machine  Mwi 
(using  S  in  w')  that  given  the  input  (j',  s',  d')  of  length  smaller  than  2 kn2,  outputs  r: 

Machine  Mwr.  Mu/(ln,  j,  s,  a)  lets  Z*  be  the  largest  l  such  that  j  >  rai_1.  Mwi  next  runs  the 
machines  Si*,  <§;«_ i, . . . ,  S\  in  sequence  as  follows:  Si*  is  run  on  input  1  sl *  and  a1*-,  let 
A^*-1  denote  its  output.  Next  for  each  l  <  l*,  Si  is  given  ln,  j1,  sl,a -l  and  [A-^y  where  A -l 
are  the  outputs  of  the  executions  of  S/+i, . . . ,  S/*.  Finally,  M  outputs  the  string  r  returned 
by  Si. 

Note  that  by  definition,  if  all  the  P-certificates  in  w'  prove  true  statements,  then  Mwr  given  the 
input  (j/,sy,o;/)  indeed  outputs  r.  However,  for  any  machine  M,  since  the  input  to  the  machine 
M  is  of  length  2 kn2,  it  follows  by  a  counting  argument  that  only  for  a  negligible  fraction  of  length 
3 kn2  strings  r,  there  exists  some  input  that  makes  M  output  r.  Thus,  whenever  (tt,  h)  is  good 
(which  happens  with  overwhelming  probability),  except  with  negligible  probability  (over  the  choice 
of  r,  s)  BAD  cannot  happen;  it  follows  that  BAD  can  only  happen  with  negligible  probability, 
which  is  a  contradiction. 

□ 


4.2.2  Concurrent  ZtC  of  Protocol  k 

The  simulator  S  for  Protocol  k  will  define  k  +  1  “helper”  simulators  Si, ... ,  S^+i-  Before  providing 
the  formal  definition  of  Si, ... ,  Sk+i,  let  us  first  describe  the  interaction  among  them. 

Recall  that  in  the  simulation  of  Protocol  1,  Si  is  an  interactive  machine  that  communicates 
with  a  concurrent  verifier  V* ,  on  the  “right”,  while  expecting  to  receive  a  P-certificates  (j.  Tij) 
from  S2 ,  on  the  “left” ,  for  every  communication  round  j  in  the  right  interaction  with  V* ;  Si  then 
makes  use  of  these  certificates  to  complete  the  right  interaction  with  V*  (and  more  specifically, 
to  complete  the  WlUAs  it  is  supposed  to  provide  V*).  In  the  simulation  of  Protocol  k,  S\  still 
communicates  with  V*  on  the  “right”,  but  now  additionally  expects  to  receive  P-certificates  from 
all  of  S2, . . . ,  Sfc+i  on  the  “left”.  In  more  detail,  recall  that  a  communication  round  in  the  “right” 
interaction  refers  to  a  verifier  message  (sent  by  V*)  followed  by  a  prover  message  (sent  by  Si). 
Now,  in  each  communication  round  j  in  the  right  interaction,  upon  receiving  a  message  from  the 
verifier  V* ,  S\  also  expects  to  receive  (j,  l,7rj)  from  S2,  and  furthermore,  for  every  2  <  l  <  k,  if 
j  mod  nl~l  =  0,  then  Si  additionally  expects  to  receive  (j,  Z,7rj)  from  S;+ 1.  In  other  words,  Si 
expects  to  receive  a  “level-/”  certificate  (of  the  form  (j  =  a  ■  nl~l ,  l,  7rj)  for  some  a)  from  S/+i  every 
ni_1  communication  rounds.  Roughly  speaking,  each  such  “level-/”  certificatate,  certifies  that  all 
“level-(Z  —  1)”  certificates  up  to  round  j  were  actually  generated  by  Sj;  and  those  “level- (/  —  1)” 
certificates  certify  that  S;_  1  actually  generated  the  “level- (Z  —  2)”  certificates  up  until  round  j ,  etc. 
See  Figure  8  for  an  illustration  of  the  communication  pattern  between  V*,  Si, . . . ,  S*,+i. 

For  every  2  <  /  <  k,  for  S;  to  be  able  to  generate  its  level  (/  —  l)-certificates,  S;  internally 
emulates  the  interaction  among  S/_i, . . . ,  Si,  V*,  but  additionally  needs  to  receive  all  level-/'  cer¬ 
tificates,  where  /'  >  /;  thus  each  machine  S/  produces  level-/  —  1  certificates  on  the  “right”,  while 

circuits  of  size  poly(r(n));  however,  as  mentioned,  by  slightly  modifying  the  protocol  as  in  [BG02],  this  assumption 
can  be  weakened  to  just  collision  resistance  against  polynomial-size  circuits. 
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Figure  8:  Simulation  of  protocol  (i4,  14)  for  k  =  3. 


receiving  level-Z,  level- (Z  +  1),  ...  level- /c  certificates  from  respectively  Si+i,  Si+ 2,  ■  ■  ■  Sk+i,  on  the 
“left”.  See  Figure  9  for  an  illustration  of  5). 


Si 


Figure  9:  Simulator  Si. 

We  now  define  Si.  As  before,  on  a  high-level,  «S'i(ln,  x,  M,  s,  £),  acts  as  a  prover  in  a  “right” 
interaction,  communicating  with  a  concurrent  verifier  V* .  while  receiving  some  additional  “exter¬ 
nal”  messages  on  the  “left” .  (The  input  x  is  the  statement  to  be  proved,  the  input  M  will  later  be 
instantiated  with  the  codes  of  Si,.. .  Sk,  and  the  input  (s,£)  is  used  to  generate  the  randomness 
for  Si;  s  is  the  seed  for  the  forward  secure  pseudorandom  generator  g,  and  £  is  the  number  of  n-bit 
long  blocks  to  be  generated  using  g.) 

Let  us  now  specify  how  Si  generates  prover  messages  in  its  “right”  interaction  with  V* . 
Si(ln,x,M,s,£)  acts  as  follows: 

•  Upon  invocation,  Si  generates  its  “random-tape”  by  expanding  the  seed  s;  more  specifically, 
let  (s(,  S£- 1, . . .  si),  (q£,  qi- 1, . . . ,  qi)  be  the  output  of  g(s,  £).  Again,  we  assume  without  loss 
of  generality  that  Si  only  needs  n  bits  of  randomness  of  generate  any  prover  message;  in  order 
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to  generate  its  j’th  prover  message,  it  uses  q3  as  randomness. 

•  Upon  receiving  a  hash  function  ht  for  session  i  in  communication  round  j,  S i  provides  a 
commitment  q  to  the  hash  of  the  programs  S\ , . . . ,  defined  as  follows. 

—  Si(ln,j,s',cr)  =wrap(Mi(ln,x,M,s',j),V*,a,j). 

—  For  2  <  l  <  k,  Si(ln,j,  s',  a)  =  wrap1  (M;(ln ,  x,  M ,  s' ,  j) ,  a,  j)  where  wrap' (A,  a,  j)  is  the 
program  that  executes  A  for  j  “communication  rounds,”  while  allowing  A  to  receive  a  as 
external  messages  “on  the  left” ,  and  finally  outputs  the  set  of  messages  generated  by  A 
“on  the  right” — recall  that  Mi  will  be  instantiated  by  Si,  who  emulates  the  interaction 
among  S)_i, . . . ,  Si,  V*,  receives  level-/'  certificates  for  V  >  l  externally  “on  the  left”, 
and  generates  level- (Z—  1)  certificates  on  the  “right”;  “communication  rounds”  here  still 
refer  to  the  communication  rounds  of  Si  and  V*.  {wrap'  simply  returns  _L  whenever  A 
does  not  have  the  specified  structure.) 

•  Upon  receiving  a  challenge  rt  in  session  i  during  the  jth  communication  round,  Si  needs  to 
provide  a  WIUA.  To  do  so,  Si  collects  the  witness  as  follows. 

—  Let  1*  be  the  largest  l  such  that  j  >  n l~1. 

—  For  1  </</*,  set  sl  =  s^-j  (_1  (i.e.,  the  seed  corresponding  to  communication  rounds 
LjJn'-U  reca11  that  Vj\x  -  j  -  (, j  mod  x)). 

—  For  1  <  l  <  l*,  recall  that  Si  expects  to  have  received  ai  =  \_j\ni-i  /nl~l  messages  from 
S;+i  of  the  form  (a  •  nz_1, /,  irla  for  a  €  [at]. 

*  Let  it1  be  the  P-certificate  in  the  last  message  received  from  S/+i;  by  construction, 
this  message  was  received  in  round  \_j\ni-i  and  thus  we  have  nl  =  7r^j  ;  i . 

=t=  Let  X1  be  the  messages  received  from  S/+i  up  until  and  including  round  [j\nr,  by 
construction,  since  S/+i  generates  a  message  every  n l~l  communication  rounds,  \l 
contains  a  total  of  {j\ni/n11  messages. 

*  Let  a1  be  the  messages  generated  by  Si+ \  after  round  {j\ni  but  before  round  [j\ni-i 
(thus,  we  exclude  the  last  message  nl  and  the  messages  included  in  X1);  since  there 
are  at  most  nl  communication  rounds  after  round  [j\ni  and  before  round  UJn*-1) 
and  (again)  5)+i  generates  a  message  every  n l~l  rounds,  a1  contains  at  most  n 
messages;  each  such  message  is  of  length  n  +  O(logn)  <  2 n. 

—  For  1*  <  l  <  k,  let  Xi  =  null.  (Note  that  also  A/*  =  null  since  |jJn!*  =  0-) 

—  Finally,  let  p  and  S  be  the  randomness  and  machines,  respectively,  used  to  generate  the 
commitment  ct  in  the  ith  session. 

If  S i  fails  to  find  a  valid  witness,  S\  simply  halts.  Otherwise,  S\  uses  the  above  witness  to 
provide  an  honest  WIUA  to  V*  that 

1.  (Commitment  consistency:)  c*  =  com  (It,;  (S) , . . . ,  S^);  p ), 

2.  (Input  certification:)  |a|  <  2 kn2,  X-1  =  null  and  for  2  <  l  <  l*,  it1  certifies  that 

^'))  =  A1'1, 

3.  (Prediction  correctness:)  7T1  certifies  that  Si(ln,j,  s1,  ([A-1]^,  cr-1))  =  T{ 
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Remark  2.  Above,  for  every  1  <  l  <  l* ,  S\  uses  the  P -certificates  it1  to  certify  that  the  execution  of 
Si  up  until  communication  round  \_j\ni-i  when  providing  Si  with  the  “certified”  inputs  l_1 

and  “dangling”  inputs  a-1.  The  bracket  operator  is  used  to  ensure  that  the  inputs  given  to  Si 
are  identically  the  same  as  were  given  to  it  when  generating  the  P -certificate  -k1  at  round  [j\ni 
(or  else  the  statement  proved  by  n1  would  be  different  from  the  one  that  S i  needs  to  provide  a 
certificate  about).  The  bracket  operator  simply  “filters”  out  all  messages  that  are  generated  at  or 
after  communication  round 

As  noted  above,  by  construction,  a  always  satisfies  the  appropriate  length  restrictions.  Thus, 
the  only  thing  we  need  to  ensure  is  that  the  certificates  received  by  Si  indeed  prove  the  “right” 
statements  for  Si  to  be  able  to  complete  its  WlUAs;  we  shall  see  why  this  is  the  case  shortly. 

We  now  turn  to  defining  S;  for  2  <  l  <  k  +  1,  inductively.  Suppose  Si, ... ,  S/_i  are  defined. 
Si(ln,x,M,s,£)  emulates  the  interaction  among  S;_i(ln,  x,  M,  s,  £), . . . ,  Si(ln,  x,  M,  s,  £),  V*  for  £ 
communication  rounds,  while  expecting  to  receive  external  messages  “on  the  left” . 

•  In  each  communication  round  j  with  j  mod  nl~l  =  0,  after  V*  sends  a  verifier  message  mg, 
we  distinguish  two  cases. 

—  If  /  =  2,  S<2  generates  a  certificate  7rj  (using  Pcer t)  that  wrap(S\(ln,  x,  M,  Sj,  j),  V*,  r,  j) 
=  mj,  where  r  is  the  set  of  messages  Si  has  received  so  far,  and  outputs  (j,  l,7rj). 

—  If  l  >  2,  Si  continues  to  emulate  the  round  to  the  point  that  (the  internally  emulated) 
S;_ i  outputs  its  message  ( j,l  —  2,tt1~'2),  and  then  S/  generates  a  certificate  -k1^1  that 
wrap' (Si_i(ln ,  x,  M ,  Sj,j ),  r,  j)  =  77,  where  r  is  the  set  of  messages  that  S/_  1  has  received 
so  far  and  r/  is  the  set  of  messages  S;_  1  has  generated  so  far  (in  the  internal  emulation). 
Then  S;  outputs  the  message  ( j,l  —  l,7rj-1). 

•  In  each  communication  round  j  s.t.,  j  mod  nl  =  0,  after  generating  its  message  (j,  l  —  1, 7rj_1), 
Si  expects  to  receive  external  messages  (j,  l'  —  1, 7rj  _1)  “on  the  left”  for  every  l'  >  l  such  that 
j  mod  nl  -1  =  0.  Si  simply  relays  these  messages  to  its  internally  emulated  Si- 1, . . .  S\. 

Finally,  Si  outputs  its  own  view  at  the  end  of  the  execution  (which  in  particular,  contains  the  view 
of  V*,  and  all  the  messages  generate  by  Si). 

Note  that  the  construction  of  S2,  ■  ■  ■ ,  S^+i  ensures  that  S 1  will  always  have  the  appropriate 
certificates  to  complete  every  WIUA  it  reaches;  as  a  consequence,  S\  never  gets  “stuck”. 

Let  S  =  (S\, . . . ,  Sfc).  The  final  simulator  S'(ln,  x)  simply  runs  SV(ln,  x,  S,  s,  T(n  +  | a;| )) ,  where 
s  is  a  uniformly  random  string  of  length  n,  T(n+ 1®|)  is  a  polynomial  upper-bound  on  the  number  of 
messages  sent  by  V*  on  input  1"  and  statement  x  6  {0,  l}Poly(n)5  ancl  p  =  |"logn  T(n+  |a:|)]  +1,  and 
then  extracts  and  outputs  the  view  of  V*  from  the  output  of  5V .  Note  that  since  T  is  polynomial 
in  n,  k!  is  a  constant. 

Running-time  of  S  We  first  note  that  essentially  the  same  argument  as  for  Protocol  1  shows  that 
Si  runs  in  polynomial  time:  It  only  takes  Si  polynomial-time  to  generate  the  commitments  in  Phase 
1  (since  V*  has  a  polynomial- length  description,  and  the  programs  Sfs  have  length  polynomial  in 
the  size  of  V*).  During  the  WIUA  in  Phase  2,  the  length  of  the  witness  used  by  the  simulator  is 
polynomial  in  length  of  the  programs  S/’s,  and  their  inputs  and  outputs,  all  of  which  are  polynomial 
in  the  circuit-size  of  V* .  Since  the  P-certificates  verification  time  is  polynomial  in  the  length  of 
the  statement  proved,  it  follows  that  the  relation  being  proved  in  the  WIUA  has  a  time  complexity 
that  is  upper  bounded  by  a  fixed  polynomial  in  the  length  of  V*.  By  the  relative  prover  efficiency 
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condition  of  the  WIUA,  each  such  proof  only  requires  some  fixed  polynomial-time,  and  thus  the 
whole  execution  of  Si  takes  some  fixed  polynomial  time  (in  the  size  of  V*  and  thus  also  in  the 
length  of  x.)  It  directly  follows  that  also  Si’s  running-time  is  polynomially  bounded. 

It  now  follows  by  an  induction  that  Si  and  thus  Si  run  in  polynomial  time  for  every  constant 
l.  Suppose  S/_i  and  S;_i  run  in  polynomial  time.  Since  S/  is  simply  providing  certificates  about 
the  execution  of  S)_ i,  it  follows  by  the  relative  prover-efficiency  condition  of  P-certificates,  that  Si 
runs  in  polynomial  time,  and  thus  also  S/.  Finally,  as  S  simply  runs  S y  with  a  constant  k the 
running-time  of  S  is  polynomially  bounded  as  well. 

Indistinguishability  of  the  simulation  Note  that  by  construction  of  S,  it  follows  that  the 
simulation  never  gets  “stuck”  in  the  sense  that  whenever  V*  expects  a  WIUA  in  some  session,  S 
has  an  appropriate  “fake”  witness  and  can  complete  the  WIUA  using  this  “fake”  witness.  Indistin¬ 
guishability  of  the  simulation  follows  in  identically  the  same  way  as  for  Protocol  1. 

4.3  Dealing  with  Randomized  P-certificates 

As  mentioned  above,  to  simplify  the  exposition,  our  protocol  uses  strong  P-certificate  system 
(Pcertj  kcert)  with  deterministic  prover  and  verifier  strategies.  We  here  sketch  how  to  deal  with  the 
case  when  Pcert  and  V^ert  are  randomized. 

•  Handling  randomized  I4ert*  If  Vcert  is  randomized,  we  simply  need  to  the  verifier  V  generate 
the  randomness  for  I4ert,  but  to  guarantee  soundness  of  the  P-certificate,  V  needs  to  do  so 
after  the  P-certificates  are  determined.  We  do  this  by  adding  a  new  communication  round 
before  Phase  2  where  the  prover  first  is  asked  to  commit  to  the  k  P-certificates  7T1, . . .  ,7rfc 
that  it  wants  to  use  in  Phase  2  (the  honest  prover  should  simply  commit  to  0k'n)  and  next  the 
verifier  selects  randomness  p1, . . .  ,pk  for  Vcert  for  each  of  these  certificates.  In  Phase  2,  the 
prover  is  then  asked  to  demonstrate  that  for  each  certificate  l  £  [&],  Ucert  using  randomness 
pl  accepts  tt1  . 

•  Handling  randomized  Pcert.  If  Pcen  is  randomized,  the  helper  simulators  S2,  •  •  • ,  .S'/,-+ 1  also 
become  randomized.  As  with  Si,  there  is  now  a  potential  “randomness-dependent”  issue 
since  the  simulators  generate  certificates  about  their  own  behaviour  in  earlier  communication 
rounds  (in  particular,  Si  needs  to  know  the  randomness  of  all  “helper”  simulators).  We  can 
break  the  circularity  by  using  forward  secure  PRGs  in  exactly  the  same  way  as  was  done  for 
Si;  each  the  simulator  S;  use  independent  seeds  for  a  forward  secure  PRG  to  expand  the 
randomness  for  generating  level-(/  —  1)  certificates  in  each  communication  round,  and  then 
uses  the  seed  s'p  as  an  input  to  S/’s  when  generating  certificates  at  communication  round  j. 

4.4  A  Note  on  Uniform  Assumptions 

We  remark  that  even  in  the  case  of  uniform  soundness,  our  protocol  currently  relies  on  families  of 
hash-functions  collision-resistant  also  for  non-uniform  polynomial-time.  Note,  however,  that  for  our 
soundness  proof,  it  suffices  to  use  commitment  schemes  that  are  binding  for  uniform  polynomial¬ 
time  algorithms  and  a  WIUA  where  the  proof  of  knowledge  property  is  proven  secure  using  a 
uniform  security  reduction.  (We  still  need  the  hiding  and  the  witness  indistinguishability  properties 
to  hold  for  non-uniform  polynomial-time  to  establish  ZfC  with  arbitrary  auxiliary  inputs).  We 
see  no  obstacles  in  getting  these  properties  by  instantiating  our  protocol  with  statistically-hiding 
commitments  and  a  “special-purpose”  WIUA  from  [PR05],  which  also  relies  on  statistically-hiding 
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commitments,  but  we  haven’t  verified  the  details.  In  particular,  if  we  only  rely  on  statistically- 
hiding  commitments  where  the  (computational)  binding  hold  against  uniform  polynomial-time 
algorithms,  such  commitment  can  be  based  on  families  of  hash  functions  collision- resistant  against 
uniform  polynomial-time. 
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